FTP through Firewall

FTP through Firewall

[Davis Sylvester]

I am trying to grant FTP access to Internet customers
to our servers behind our firewall.
When they try to connect they get the following error:

ftp: connect :Unknown error number

I am using the following iptables commands to allow
access.  Our default policy is DENY.

iptables -A FORWARD -m state --state
RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state NEW -i eth4 -o
eth5 -d 1.1.1.2 -p tcp --dport ftp -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -d 208.1.1.1 -p
tcp --dport ftp -j DNAT --to 1.1.1.2


Thanks in advance!


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: FTP through Firewall

[Cedric Blancher]

Le samedi 04 mars 2006 à 10:47 -0800, Davis Sylvester a écrit :
> I am trying to grant FTP access to Internet customers
> to our servers behind our firewall.
> When they try to connect they get the following error:
> ftp: connect :Unknown error number
[...]

Have you insmoded ip_conntrack_ftp and ip_nat_ftp (or build them into
kernel) ?


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: FTP through Firewall

[Aleksander]

Davis Sylvester wrote:
> iptables -A FORWARD -m state --state
> RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -m state --state NEW -i eth4 -o
> eth5 -d 1.1.1.2 -p tcp --dport ftp -j ACCEPT
> iptables -t nat -A PREROUTING -i eth1 -d 208.1.1.1 -p
> tcp --dport ftp -j DNAT --to 1.1.1.2

Shouldn't the PREROUTING rule's interface option (-i) match the one in 
the FORWARD rule?

You're doing DNAT for packets from eth1, but allowing packets to the ftp 
box that come from eth4.

Right now the packets are DROPped/REJECTed depending on your filter 
FORWARD policy.

HTH,
	Alex