MASQUERADE problems with non standard FTP ports
iptables@barak.net.il
iptables@barak.net.il
Mon, 20 Aug 2001 15:56:25 +0300
Whats should i do to fix it ?
Can you give me an example what rule to add ?
>
> From: Mohamad SALEH <msaleh@orsys.fr>
> Date: 2001/08/20 Mon PM 12:56:14 GMT+03:00
> To: iptables@barak.net.il
> CC: Brad Chapman <kakadu_croc@yahoo.com>, netfilter@lists.samba.org
> Subject: Re: MASQUERADE problems with non standard FTP ports
>
> iptables@barak.net.il a écrit :
>
> > $IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -o $INET_IFACE -j MASQUERADE
> > $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
> > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
> > $IPTABLES -P INPUT DROP
> > $IPTABLES -P OUTPUT DROP
> > $IPTABLES -P FORWARD DROP
> > $IPTABLES -N icmp_packets
> > $IPTABLES -N tcp_packets
> > $IPTABLES -N udpincoming_packets
> > $IPTABLES -N allowed
> > $IPTABLES -A allowed -p TCP --syn -j ACCEPT
> > $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A allowed -p TCP -j DROP
> > $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
> > $IPTABLES -A tcp_packets -p TCP -s 199.103.11.12 --dport 1024:65535 -j allowed
> > $IPTABLES -A tcp_packets -p TCP -s 199.103.11.12 --dport 21 -j allowed
> > $IPTABLES -A tcp_packets -p TCP -s 199.103.11.12 --dport 22 -j allowed
> > $IPTABLES -A udpincoming_packets -p UDP -s 199.103.11.12 --source-port 53 -j ACCEPT
> > $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
> > $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP
> > $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
> > $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
> > $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
> > $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
> > $IPTABLES -A INPUT -p ALL -d $LOCALHOST_IP -j ACCEPT
> > $IPTABLES -A INPUT -p ALL -d $LAN_IP -j ACCEPT
> > $IPTABLES -A INPUT -p ALL -d $STATIC_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
> > $IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
> > $IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
> > $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
> > $IPTABLES -A OUTPUT -p ALL -s $STATIC_IP -j ACCEPT
> > $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
> > $IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
> > $IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
> > $IPTABLES -A OUTPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
> > >
> > > From: Brad Chapman <kakadu_croc@yahoo.com>
> > > Date: 2001/08/18 Sat PM 03:02:58 GMT+03:00
> > > To: iptables@barak.net.il
> > > CC: netfilter@lists.samba.org
> > > Subject: Re: Re: MASQUERADE problems with non standard FTP ports
> > >
> > > --- iptables@barak.net.il wrote:
> > > > Thanks for your reply,
> > > >
> > > > I check my rc.firewall
> > > > and I already got a line
> > > > IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> > > >
> > > > I added those lines too
> > > > /sbin/insmod ip_nat_ftp ports=654,8654
> > > > /sbin/modprobe ip_conntrack_ftp ports=654,8654
> > > >
> > > > Now I can connected the FTP servers, but it freeze both
> > > > PASSIVE and ACTIVE modes.
> > > >
> > > > PASV - gives "ERROR [DATA]: Connection timed out"
> > > > ACTV - freeze after the LIST command right after the PORT command.
> > > >
> > > > What should i do now ?
> > >
> > > Sir,
> > >
> > > Hmmm. Make sure that you don't have your default policy set to DROP
> > > somewhere in the nat table, otherwise if you forget to NAT FTP traffic it
> > > will get dropped. Could we see your ruleset?
> > >
> > > Thanks,
> > >
> > > Brad
> > >
> > >
> > > =====
> > > Brad Chapman
> > >
> > > Permanent e-mail: kakadu_croc@yahoo.com
> > > Current e-mail: kakadu@adelphia.net
> > >
> > > Reply to the address I used in the message to you,
> > > please!
> > >
> > > __________________________________________________
>
> > > Do You Yahoo!?
> > > Make international calls for as low as $.04/minute with Yahoo! Messenger
> > > http://phonecard.yahoo.com/
> > >
>
> As I see, you jump to chain "allowed" only from chain "tcp_packets" and you jump to tcp_packets only for packets coming from
> internet and not for those coming from your LAN.
>
> --
> Mohamad
>
>
>