[NTLUG:Discuss] Problem with iptables masquerade and FTP
Nicholas Perez
Nicholas_Perez at excite.com
Sun Apr 29 13:42:25 CDT 2001
there could be several things...such as where in the ruleset this rule
falls. I could be you are denying some sort of valid input in your INPUT
filter. I will c&p my file for you so you can look at it to get an idea...
_____
#!/bin/bash
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -X
iptables -t filter -P INPUT DROP
iptables -t filter -A INPUT -p icmp -j DROP
iptables -t filter -A INPUT -m state --state INVALID -j REJECT --reject-with
icmp-host-prohibited
iptables -t filter -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -p udp -j REJECT --reject-with
icmp-host-prohibited
iptables -t filter -A INPUT -p tcp --source 192.168.0.3 -i eth1 -j ACCEPT
iptables -t filter -A INPUT -p tcp --source update.jabber.org -i eth0 -j
ACCEPT
iptables -t filter -A INPUT -f -j REJECT --reject-with icmp-host-prohibited
iptables -t filter -A INPUT -p tcp --syn -j DROP
iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN -j REJECT
--reject-with tcp-reset
iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,ACK -j REJECT
--reject-with tcp-reset
iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j REJECT
--reject-with tcp-reset
iptables -t filter -A INPUT -p tcp --tcp-flags ALL ACK -j REJECT
--reject-with icmp-host-prohibited
iptables -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j REJECT
--reject-with tcp-reset
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -A OUTPUT -j ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t filter -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
iptables -t filter -A FORWARD -p tcp -s 192.168.0.3 -j ACCEPT
iptables -t filter -A FORWARD -p tcp -d 192.168.0.3 -m state --state
ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -p udp -s 192.168.0.3 -j ACCEPT
iptables -t filter -A FORWARD -p udp -d 192.168.0.3 -m state --state
ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.3 -o eth0 -j SNAT --to-source
`ifconfig eth0 | grep inet | awk '{print $2}' | sed 's/addr\://g'`
___
On Sun, 29 Apr 2001 10:37:06 -0500, discuss at ntlug.org wrote:
> Hello:
>
> I am tryign to use the Redhat 7.1 distribution as a gateway
> for my home network.
>
> I had this working with the ipchains and masquerade in RedHat 7.0,
> but with RedHat 7.1, things changed.
>
> Anyway, I tried reading the IP NAT HOWTO and I figured
> out that I needed to issue this command to masquerade
> with iptables:
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>
> Almost everything works fine, but when I ftp to a host,
> I get this:
>
> ftp> ls
> 200 PORT command successful.
> 550 Cannot connect to 192.168.1.2:1043 - Connection refused.
>
> So, apparently the masquerade is not completely working.
>
> Any ideas?
>
> Thanks,
> Neil.
>
> --
> Neil Aggarwal
> JAMM Consulting, Inc. -- (972) 612-6056, http://www.JAMMConsulting.com
> Custom Internet Development -- Java, JSP, servlets, databases
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/
More information about the Discuss
mailing list