Re: [netfilter] Re: iptables problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Rob Sterenborg wrote:


The INPUT and OUTPUT chains are for local traffic.
These kiosk hosts are probably *behind* iptables, so traffic will
travel through the FORWARD chain.

If you need external connections forwarded to hosts behind the
firewall, you need DNAT rules to make it happen.
Yes, the kiosks are behind the firewall (iptables) and need unrestricted access to and from the internet, but only for FTP. 


In this case, the OP has 3 hosts to wich he wants to connect ("nothing
from the outside can connect to them", outgoing connections are
already working).
FTP only uses port 21/tcp (and 20). It's to my knowledge not possible
to forward 1 port to 3 hosts simultaneously (if that would do any
good), so he'll need to assign different ports for the second and
third host.
Something like :
21/tcp -> host 1
41/tcp -> host 2
61/tcp -> host 3
(if these ports are free).

   All right, so this is what I currently have in my iptables rules:
-A PREROUTING -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.1.xxx -A PREROUTING -i eth0 -p tcp -m tcp --dport 20 -j DNAT --to-destination 192.168.1.xxx 

   ...and further down:
-A FORWARD -i eth0 -o eth2 -p tcp -m state --state NEW -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A FORWARD -i eth0 -o eth2 -p tcp -m state --state NEW -m tcp --dport 20 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 


   In my logs, I see this:
kernel: New not syn:IN=eth2 OUT=eth0 SRC=192.168.1.xxx DST=206.112.90.196 LEN=67 TOS=0x00 PREC=0x00 TTL=127 ID=1587 DF PROTO=TCP SPT=1186 DPT=21 WINDOW=65338 RES=0x00 ACK PSH URGP=0
kernel: New not syn:IN=eth2 OUT=eth0 SRC=192.168.1.xxx DST=206.112.90.196 LEN=67 TOS=0x00 PREC=0x00 TTL=127 ID=1588 DF PROTO=TCP SPT=1181 DPT=21 WINDOW=65196 RES=0x00 ACK PSH URGP=0 kernel: New not syn:IN=eth2 OUT=eth0 SRC=192.168.1.xxx DST=206.112.90.196 LEN=67 TOS=0x00 PREC=0x00 TTL=127 ID=1589 DF PROTO=TCP SPT=1184 DPT=21 WINDOW=65338 RES=0x00 ACK PSH URGP=0
The other problem is that, while I can change the FTP port on the kiosks, I can't change it on the other end (the receiving and sending) so I'm not sure how to handle that part. They will always attempt to connect on the standard FTP port, which two of these machines won't be listening to since I would've changed them so they don't conflict with one another. Or is that not so? 


--
W | It's not a bug - it's an undocumented feature.
 +--------------------------------------------------------------------
 Ashley M. Kirchner <mailto:ashley@xxxxxxxxxx>   .   303.442.6410 x130
 IT Director / SysAdmin / Websmith             .     800.441.3873 x130
 Photo Craft Laboratories, Inc.            .     3550 Arapahoe Ave. #6
 http://www.pcraft.com ..... .  .    .       Boulder, CO 80303, U.S.A.
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux