NAT FTP (was: Iptables and ipsec)

Steve Moro steve.moro@home.com
Sat, 29 Jul 2000 22:38:43 -0400 

This is the configuration I am playing with:
1) Linux IPTABLES firewall connected to internet and DMZ
2) Windows 2000 machine in the DMZ running FTP

What I want the external clients to do is create a IPSEC VPN tunnel to the
FTP machine in the DMZ and transfer securely to this machine.  (Therefore I
need to NAT the FTP traffic to the DMZ machine and also the IPSEC packets.)

Is there a better way of doing this? If there is I would greatly appreciate
any feedback.
Thanks
Steve

> -----Original Message-----
> From: netfilter-admin@samba.org [mailto:netfilter-admin@samba.org]On
> Behalf Of Andre' Breiler
> Sent: Saturday, July 29, 2000 5:05 PM
> To: Steve Moro
> Cc: Multiple recipients of list NETFILTER
> Subject: NAT FTP (was: Iptables and ipsec)
>
>
> On Sat, 29 Jul 2000, Steve Moro wrote:
>
> > What are the rules so I can NAT FTP..
> >
> > iptables -A INPUT -i $EXT_IF -p tcp -d $EXT_IP --dport 21 -j ACCEPT
> > iptables -A OUTPUT -o $EXT_IF -p tcp -d $EXT_IP --sport 20 -j ACCEPT
> > iptables -A PREROUTING -t nat -p tcp -d $EXT_IP --dport 21 \
> >    -j DNAT --to 172.16.0.1:21
>
> Looks strange to me.
> What's your intention behind this ?
> Would you forward FTP access from externel clients to your internal FTP
> server ?
> If I'm right try this:
> iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp -d $INT_IP --dport 21 \
> 	-j ACCEPT
> iptables -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -s $INT_IP --sport 21 \
> 	-j ACCEPT
> iptables -A PREROUTING -t nat -p tcp -d $EXT_IP -i $EXT_IF --dport 21 \
> 	-j DNAT --to 172.16.0.1
>
> now the data path (active ftp)
> iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp -d $INT_IP --dport 20 \
> 	-j ACCEPT
> iptables -A FORWARD -o $EXT_IF -i $INT_IF -p tcp -s $INT_IP --sport 20 \
> 	-j ACCEPT
>
> passive ftp
> iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp -d $INT_IP \
> 	--dport 1024:65535 --sport 1024:65535 -j ACCEPT
> iptables -A FORWARD -o $EXT_IF -i $INT_IF -p tcp -s $INT_IP \
> 	--dport 1024:65535 --sport 1024:65535 -j ACCEPT
>
> You have to load module ip_conntrack_ftp.
> NOTE: You should use "-m state ESTABLISHED,RELATED ..." because the above
> is more a joke than secure (but it should work).
>
> Bye Andre'
> --
> eMail: A.Breiler@gmx.net
> Type Bits/KeyID    Date       User ID
> pub  2048/89D36175 1997/06/20 Andre' Breiler 2048 <A.Breiler@gmx.net> SIG
>      Key fingerprint = 8E 9E A2 F8 29 27 CC 94  10 44 0E 40 7A C9 33 10
>
>