NAT FTP (was: Iptables and ipsec)

Richard Guy Briggs rgb@conscoop.ottawa.on.ca
Sun, 30 Jul 2000 09:48:36 -0400 

--6e7ZaeXHKrTJCxdu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Jul 29, 2000 at 10:38:43PM -0400, Steve Moro wrote:
> This is the configuration I am playing with:
> 1) Linux IPTABLES firewall connected to internet and DMZ
> 2) Windows 2000 machine in the DMZ running FTP
>=20
> What I want the external clients to do is create a IPSEC VPN tunnel to the
> FTP machine in the DMZ and transfer securely to this machine.  (Therefore=
 I
> need to NAT the FTP traffic to the DMZ machine and also the IPSEC packets=
.)
>=20
> Is there a better way of doing this? If there is I would greatly apprecia=
te
> any feedback.

It is not clear what you want.  IPSEC and NAT are fundamentally at
odds with each other.  It sounds as though you are confusing the term
'DMZ', which is the area *outside* a firewall.  Please draw us your
topology.

> Steve
>=20
> > -----Original Message-----
> > From: netfilter-admin@samba.org [mailto:netfilter-admin@samba.org]On
> > Behalf Of Andre' Breiler
> > Sent: Saturday, July 29, 2000 5:05 PM
> > To: Steve Moro
> > Cc: Multiple recipients of list NETFILTER
> > Subject: NAT FTP (was: Iptables and ipsec)
> >
> >
> > On Sat, 29 Jul 2000, Steve Moro wrote:
> >
> > > What are the rules so I can NAT FTP..
> > >
> > > iptables -A INPUT -i $EXT_IF -p tcp -d $EXT_IP --dport 21 -j ACCEPT
> > > iptables -A OUTPUT -o $EXT_IF -p tcp -d $EXT_IP --sport 20 -j ACCEPT
> > > iptables -A PREROUTING -t nat -p tcp -d $EXT_IP --dport 21 \
> > >    -j DNAT --to 172.16.0.1:21
> >
> > Looks strange to me.
> > What's your intention behind this ?
> > Would you forward FTP access from externel clients to your internal FTP
> > server ?
> > If I'm right try this:
> > iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp -d $INT_IP --dport 21 \
> > 	-j ACCEPT
> > iptables -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -s $INT_IP --sport 21 \
> > 	-j ACCEPT
> > iptables -A PREROUTING -t nat -p tcp -d $EXT_IP -i $EXT_IF --dport 21 \
> > 	-j DNAT --to 172.16.0.1
> >
> > now the data path (active ftp)
> > iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp -d $INT_IP --dport 20 \
> > 	-j ACCEPT
> > iptables -A FORWARD -o $EXT_IF -i $INT_IF -p tcp -s $INT_IP --sport 20 \
> > 	-j ACCEPT
> >
> > passive ftp
> > iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp -d $INT_IP \
> > 	--dport 1024:65535 --sport 1024:65535 -j ACCEPT
> > iptables -A FORWARD -o $EXT_IF -i $INT_IF -p tcp -s $INT_IP \
> > 	--dport 1024:65535 --sport 1024:65535 -j ACCEPT
> >
> > You have to load module ip_conntrack_ftp.
> > NOTE: You should use "-m state ESTABLISHED,RELATED ..." because the abo=
ve
> > is more a joke than secure (but it should work).
> >
> > Bye Andre'

	slainte mhath, RGB
--=20
Richard Guy Briggs -- PGP key available            Auto-Free Ottawa! Canada
<www.conscoop.ottawa.on.ca/rgb/>                       <www.flora.org/afo/>
Prevent Internet Wiretapping!        --        FreeS/WAN:<www.freeswan.org>
Thanks for voting Green! -- <green.ca>      Marillion:<www.marillion.co.uk>

--6e7ZaeXHKrTJCxdu
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i

iQCVAwUBOYQyMt+sBuIhFagtAQHFTAP/e9QEqb+2V+qzX3fYKA+34wLu3GT0qfdh
UxM+/WqryD1TL9daW5oZAKTEoDuPISXDzs3Xwfx5GAlY5zQNmqVKT+QwwPB4rqBe
4K28sY6HbzO/NGhUyChvd+75WUddCKTT4Ee+0GeozodJFhsQpkH+QNx+KjXdwN5A
GqPwg7HCrtc=
=8/rB
-----END PGP SIGNATURE-----

--6e7ZaeXHKrTJCxdu--