1. NAT rule from a to be would be enough, though it's best to use standard ports (ie 21 for ftp), or connection tracking might cause problems. Oh yeah, do not forget a FORWARD rule (to the internal IP of machine B) to allow the incoming traffic. 2. Unless all your internal machines have routable Internet addresses, you will need a SNAT or MASQUARADE rule too. -Sietse ________________________________ From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx on behalf of Alejandro Sent: Thu 13-Jul-06 15:15 To: Netfilter lista (iptables) Subject: Short questions about NAT and FTP Dear all, I have two short question please: 1) Machine A from Internet accesses machine B from (web server) my DMZ behind my linux/iptables, is it necessary to build a NAT rule from A to B and from B to A, or just A to B is enough ??? 2) I want my LAN users to access all FTP servers from Internet, and I have loaded the ip_conntrack_ftp module. Are this rules enough or do I have to specify something else (taking into account FTP active and passive modes) ??? $IPTABLES -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.0.0 --dport 21 -m state --state NEW -j ACCEPT Thanking in advance !!!! Alejandro
