MASQUERADE problems with non standard FTP ports
Mohamad SALEH
msaleh@orsys.fr
Mon, 20 Aug 2001 12:56:14 +0200
iptables@barak.net.il a =E9crit :
> $IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -o $INET_IFACE -j MASQ=
UERADE
> $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG -=
-log-level DEBUG --log-prefix "IPT FORWARD packet died: "
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -P FORWARD DROP
> $IPTABLES -N icmp_packets
> $IPTABLES -N tcp_packets
> $IPTABLES -N udpincoming_packets
> $IPTABLES -N allowed
> $IPTABLES -A allowed -p TCP --syn -j ACCEPT
> $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACC=
EPT
> $IPTABLES -A allowed -p TCP -j DROP
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
> $IPTABLES -A tcp_packets -p TCP -s 199.103.11.12 --dport 1024:65535 -j =
allowed
> $IPTABLES -A tcp_packets -p TCP -s 199.103.11.12 --dport 21 -j allowed=
> $IPTABLES -A tcp_packets -p TCP -s 199.103.11.12 --dport 22 -j allowed=
> $IPTABLES -A udpincoming_packets -p UDP -s 199.103.11.12 --source-port=
53 -j ACCEPT
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP=
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP
> $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
> $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
> $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
> $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
> $IPTABLES -A INPUT -p ALL -d $LOCALHOST_IP -j ACCEPT
> $IPTABLES -A INPUT -p ALL -d $LAN_IP -j ACCEPT
> $IPTABLES -A INPUT -p ALL -d $STATIC_IP -m state --state ESTABLISHED,RE=
LATED -j ACCEPT
> $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --l=
og-level DEBUG --log-prefix "IPT INPUT packet died: "
> $IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j AC=
CEPT
> $IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELAT=
ED -j ACCEPT
> $IPTABLES -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m stat=
e --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
> $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
> $IPTABLES -A OUTPUT -p ALL -s $STATIC_IP -j ACCEPT
> $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --=
log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
> $IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED =
-j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j A=
CCEPT
> $IPTABLES -A OUTPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m sta=
te --state ESTABLISHED,RELATED -j ACCEPT
> >
> > From: Brad Chapman <kakadu_croc@yahoo.com>
> > Date: 2001/08/18 Sat PM 03:02:58 GMT+03:00
> > To: iptables@barak.net.il
> > CC: netfilter@lists.samba.org
> > Subject: Re: Re: MASQUERADE problems with non standard FTP ports
> >
> > --- iptables@barak.net.il wrote:
> > > Thanks for your reply,
> > >
> > > I check my rc.firewall
> > > and I already got a line
> > > IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> > >
> > > I added those lines too
> > > /sbin/insmod ip_nat_ftp ports=3D654,8654
> > > /sbin/modprobe ip_conntrack_ftp ports=3D654,8654
> > >
> > > Now I can connected the FTP servers, but it freeze both
> > > PASSIVE and ACTIVE modes.
> > >
> > > PASV - gives "ERROR [DATA]: Connection timed out"
> > > ACTV - freeze after the LIST command right after the PORT command.
> > >
> > > What should i do now ?
> >
> > Sir,
> >
> > Hmmm. Make sure that you don't have your default policy set to =
DROP
> > somewhere in the nat table, otherwise if you forget to NAT FTP traffi=
c it
> > will get dropped. Could we see your ruleset?
> >
> > Thanks,
> >
> > Brad
> >
> >
> > =3D=3D=3D=3D=3D
> > Brad Chapman
> >
> > Permanent e-mail: kakadu_croc@yahoo.com
> > Current e-mail: kakadu@adelphia.net
> >
> > Reply to the address I used in the message to you,
> > please!
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Make international calls for as low as $.04/minute with Yahoo! Messen=
ger
> > http://phonecard.yahoo.com/
> >
As I see, you jump to chain "allowed" only from chain "tcp_packets" and y=
ou jump to tcp_packets only for packets coming from
internet and not for those coming from your LAN.
--
Mohamad