and by the way, the script also load the follwing modules:
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
ip_nat_ftp i assume it's a module that allow doing nat on ftp, but i'm
too noob in iptables and still don't now what conntrack is, so, i'm not
sure if this is have some meaning on this problem or don't.
Leonardo Carneiro escreveu:
Hi fellows,
i'm having a (very basic and noob) problem.
i have a server on a internal network running a ftp server
authenticating on a ldap backend. the ftp setup is running fine and i
can access when i'm on the internal network or over the openvpn link
that links my network with the server network (btw, the openvpn server
runs on the same machine).
but i need to my users to have access to this service over the
internet. the gateway of that network is a linux box with 2 internet
links. i've put the following rules on the iptables script:
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $LAN_IFACE --dport 21
-j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE_DIN -o $LAN_IFACE --dport
21 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $LAN_IFACE --dport 20
-j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE_DIN -o $LAN_IFACE --dport
20 -j ACCEPT
(INET_IFACE is the interface with the static ip and low bandwitch,
INET_IFACE_DIN is the interface with dynamic ip (and a dynamic dns
running on it) and higher bandwitch.)
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $INET_IP
--dport 21 -j DNAT --to-destination $FTPSERVER
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE_DIN -d
$INET_IP_DIN --dport 21 -j DNAT --to-destination $FTPSERVER
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $INET_IP
--dport 20 -j DNAT --to-destination $FTPSERVER
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE_DIN -d
$INET_IP_DIN --dport 20 -j DNAT --to-destination $FTPSERVER
$IPTABLES -t mangle -A PREROUTING -p TCP -i $LAN_IFACE -s
$FTPSERVER/32 --sport 21 -d 0/0 -j MARK --set-mark 1
$IPTABLES -t mangle -A PREROUTING -p TCP -i $LAN_IFACE -s
$FTPSERVER/32 --sport 20 -d 0/0 -j MARK --set-mark 1
(mark 1 send the ftp traffic through the higher bandwitch interface
INET_IFACE_DIN)
i tried to connect over the internet, while running tcpdump on the
ftpserver. the server exchange packets with the client, but do not
stabilish a connection. is there something wrong with the rules?
--
*Leonardo de Souza Carneiro*
*Veltrac - Tecnologia em Logística.*
lscarneiro@xxxxxxxxxxxxxx <mailto:lscarneiro@xxxxxxxxxxxxxx>
http://www.veltrac.com.br <http://www.veltrac.com.br/>
/Fone Com.: (43)2105-5601/
/Av. Higienópolis 1601 Ed. Eurocenter Sl. 803/
/Londrina- PR/
/Cep: 86015-010/
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
