Forwarding FTP ports

[Roger Haskins]

All the IPTables pieces are compiled into the kernel as I don't believe in running modules.  Esp on the firewall.

I don't want someone to run their own module if the machine ever gets compromised.

On Fri, 21 Dec 2001 14:41:28 -0500
"Aldo S. Lagana" <alagana@discmail.com> wrote:

> How about loading the ip_nat_ftp module?
> 
> I know I had to load it to allow outbound ftp connections - not sure
> about incoming yet - haven't tested that yet...
> 
> -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org] On Behalf Of Roger Haskins
> Sent: Friday, December 21, 2001 1:55 PM
> To: Netfilter
> Subject: Forwarding FTP ports
> 
> 
> 
> Just when I think I've gotten port forwarding down then I run into a
> snag :)
> 
> I'm trying to forward ftp to a machine behind the firewall.
> 
> From the DMZ and LAN side the forwarding works perfectly but from the 
> >outside it doesn't.
> 
> Here's what I have
> 
> $IPT -t nat -A PREROUTING -p TCP -d $WANIP --dport 20 -j DNAT
> --to-destination $FTPIP:20 $IPT -t nat -A PREROUTING -p TCP -d $WANIP
> --dport 21 -j DNAT --to-destination $FTPIP:21 $IPT -A FORWARD -p TCP -d
> $FTPIP --dport 20 -j ACCEPT $IPT -A FORWARD -p TCP -s $WORLD --sport 20
> -j ACCEPT $IPT -A FORWARD -p TCP -d $FTPIP --dport 21 -j ACCEPT $IPT -A
> FORWARD -p TCP -s $WORLD --sport 21 -j ACCEPT
> 
> And I have all these sames rules inplace for UDP as well.
> 
> When an FTP comes in from the outside, I can log in but when I do an ls
> it goes into passive mode which on the DMZ/LAN side it doesn't.
> 
> What am I missing?  I have similiar rules for smtp and pop3 forwarding
> which work perfectly.
> 
> BTW, once I get the rules working then I'll add checks for the state it
> is in.
> 
> TIA
> 
>