Forwarding FTP ports
Fri, 21 Dec 2001 11:46:26 -0800
All the IPTables pieces are compiled into the kernel as I don't believe in running modules. Esp on the firewall.
I don't want someone to run their own module if the machine ever gets compromised.
On Fri, 21 Dec 2001 14:41:28 -0500
"Aldo S. Lagana" <firstname.lastname@example.org> wrote:
> How about loading the ip_nat_ftp module?
> I know I had to load it to allow outbound ftp connections - not sure
> about incoming yet - haven't tested that yet...
> -----Original Message-----
> From: email@example.com
> [mailto:firstname.lastname@example.org] On Behalf Of Roger Haskins
> Sent: Friday, December 21, 2001 1:55 PM
> To: Netfilter
> Subject: Forwarding FTP ports
> Just when I think I've gotten port forwarding down then I run into a
> snag :)
> I'm trying to forward ftp to a machine behind the firewall.
> From the DMZ and LAN side the forwarding works perfectly but from the
> >outside it doesn't.
> Here's what I have
> $IPT -t nat -A PREROUTING -p TCP -d $WANIP --dport 20 -j DNAT
> --to-destination $FTPIP:20 $IPT -t nat -A PREROUTING -p TCP -d $WANIP
> --dport 21 -j DNAT --to-destination $FTPIP:21 $IPT -A FORWARD -p TCP -d
> $FTPIP --dport 20 -j ACCEPT $IPT -A FORWARD -p TCP -s $WORLD --sport 20
> -j ACCEPT $IPT -A FORWARD -p TCP -d $FTPIP --dport 21 -j ACCEPT $IPT -A
> FORWARD -p TCP -s $WORLD --sport 21 -j ACCEPT
> And I have all these sames rules inplace for UDP as well.
> When an FTP comes in from the outside, I can log in but when I do an ls
> it goes into passive mode which on the DMZ/LAN side it doesn't.
> What am I missing? I have similiar rules for smtp and pop3 forwarding
> which work perfectly.
> BTW, once I get the rules working then I'll add checks for the state it
> is in.