Re: IPtables and SNAT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 21 -s 192.x.y.a -
> j ACCEPT
>    $IPTABLES -t mangle -A FORWARD -p tcp --dport 21 -s 192.x.y.a -m
> conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
>    $IPTABLES -t nat -A POSTROUTING -s 192.x.y.a -p tcp --dport 21 -j
> SNAT --to-source 194.160.1.1
>


First thing to bear in mind: The mangle table is purely for packet
manipulation actions and should not be used for filtering. Move the
two accept rules into the filter table (just omit the -t mangle
parameter).

Port 21 is only the ftp control port - data uses port 20.

If you have the ftp helper try
$IPTABLES -t nat -A POSTROUTING -s 192.x.y.a -m helper --helper ftp -j
SNAT --to-source 194.160.1.1








--
Richard Horton
Users are like a virus: Each causing a thousand tiny crises until the
host finally dies.
http://www.solstans.co.uk - Solstans Japanese Bobtails and Norwegian Forest Cats
http://www.pbase.com/arimus - My online photogallery
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux