Re: FTP Forwarding

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "TestMail" <testmail@peterpaul.com.ph>
To: Jason Opperisano <opie@817west.com>
Cc: Netfilter Mailing List <netfilter@lists.netfilter.org>
Subject: Re: FTP Forwarding
Date: Mon, 17 Jan 2005 15:31:46 +0800	[thread overview]
Message-ID: <000701c4fc66$9a3d7840$0200a8c0@etpi> (raw)
In-Reply-To: 1105712624.3661.19.camel@hubcap.ljm.dom


----- Original Message -----
From: "Jason Opperisano" <opie@817west.com>
To: <netfilter@lists.netfilter.org>
Sent: Friday, January 14, 2005 10:23 PM
Subject: Re: FTP Forwarding


> On Fri, 2005-01-14 at 03:57, Test Mail wrote:
> > Hi!Can i have a follow up question regarding FTP server inside internal
LAN
> > which can be seen in the internet.....
> > now what if the scenario is i want to restrict a specific Public IP
Address
> > in using my FTP what will be the rules that i should  apply?
> >
> > I was thinking of setting up a rule that will filter incomming Public IP
> > Address request for ftp before it forwards it into my internal FTP
Server.
> >
> > Below are the sample entry in my iptables:
> > iptables -t filter -A INPUT -p tcp -s $PublicIPAdd --dport 20:21 -j
ACCEPT
> > <--- is this correct?
> > iptables -t filter -A INPUT -j DROP
> >
> > Below are the previous solution that you gave.
> >
> > modprobe ip_conntrack_ftp
> > modprobe ip_nat_ftp
> >
> >  iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d 202.147.167.99 \
> >    --dport 21 -j DNAT --to-destination 192.168.0.5
> >
> >  iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --syn -d 192.168.0.5 \
> >    --dport 21 -j ACCEPT
>
> change that rule to something like:
>
>   iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --syn \
>     -s $PublicIPAdd -d 192.168.0.5 --dport 21 -j ACCEPT
>
> repeat for multiple instances of $PublicIPAdd.
>
> -j
>
> --
> "It's not easy to juggle a pregnant wife and a troubled child, but
>  somehow I managed to fit in eight hours of TV a day."
> --The Simpsons
>

I'm sorry but i think this rule will not be the solution to my problem cause
my ftp server is inside my internal network and automatically my gateway
will "only" be the source from the -s $PublicIPAdd Forward rule parameter...
i think???

Below is my schematic on how i want it to be ..
    1. only 202...1 ip address in my branch office should be allowed to use
my ftp server in my head office

        so incoming ftp request should be filtered and only 202....1 ip
address that is coming from my branch office should be allowed.

| Branch | eth0 202. .1       < external
       |
       |
| WAN  |
       |
       |
|gateway:firewall:FCore2|  eth0 192.168...  < internal <<<<<<
       |                                 eth1 202........    <external
       |
       |
|Ftp Server:FCore2| eth0 192.168.0.5 < Internal
--------CUT ----------------------------------------------------------------
:::::2nd Question:::::
if i apply a policy >>>> iptables -P INPUT DROP
                                    iptables -t filter -A INPUT -p tcp -s
192.168.0.1 -d 192.168.0.2 --dport 20:21 ACCEPT

means only 192.168.0.1 will only be allowed to use ftp and the rest will be
drop ???? am i correct??

--------CUT-----------------------------------------------------------------

Thanks in advance.

Still learning iptables..
Milo

next prev parent reply	other threads:[~2005-01-17  7:31 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-12-28 17:19 FTP Forwarding umar draz
2004-12-28 17:30 ` Jason Opperisano
2005-01-14  8:57   ` Test Mail
2005-01-14 11:38     ` Deepak Seshadri
2005-01-14 14:27       ` Jason Opperisano
2005-01-14 14:43         ` Deepak Seshadri
2005-01-14 14:23     ` Jason Opperisano
2005-01-17  7:31       ` TestMail [this message]
2005-01-18 16:40         ` Jason Opperisano
  -- strict thread matches above, loose matches on Subject: below --
2005-01-18 15:49 Hudson Delbert J Contr 61 CS/SCBN
     [not found] <FD8F124A387AD6119F7900A0D218B321541403@hslex01.hslbz.local>
2002-11-22 12:02 ` Rob Sterenborg
2002-11-22 13:02   ` Roy Sigurd Karlsbakk
2002-11-22 10:08 Bantam
2002-11-22 10:24 ` Alexey Sheshka
2002-11-22 10:26 ` Alexey Sheshka
2002-11-22 10:31 ` Stewart Thompson
2002-11-22 10:37   ` Wasim Bashir
2002-11-22 11:08     ` Stewart Thompson
2002-11-22 11:47       ` Wasim Bashir
2002-11-22 10:34 ` Rob Sterenborg
2002-11-22 11:53 ` Erdal Mutlu
2002-11-18  9:47 ftp forwarding Wasim Bashir

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='000701c4fc66$9a3d7840$0200a8c0@etpi' \
    --to=testmail@peterpaul.com.ph \
    --cc=netfilter@lists.netfilter.org \
    --cc=opie@817west.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.