Passive FTP through IPTables DNAT

Passive FTP through IPTables DNAT

[Jonathan Humphrey]

[-- Attachment #1: Type: text/plain, Size: 643 bytes --]

Does anyone have a working script for this?

I'm attempting to hide a FTP server behind a Linux IPTables firewall using
dnat but having problems

thx!


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

**********************************************************************


[-- Attachment #2: Type: text/html, Size: 1138 bytes --]

Re: Passive FTP through IPTables DNAT

[Rune]

All  you need is having a forward rule for the ftp-data connection which
uses the
port below the ftp port e.g:
    ftp at port 21
    ftp-data at port 20

Rune Petersen
----- Original Message -----
From: "Jonathan Humphrey" <jhumphrey@codemasters.com>
To: <netfilter@lists.netfilter.org>
Sent: Thursday, March 06, 2003 7:20 PM
Subject: Passive FTP through IPTables DNAT


> Does anyone have a working script for this?
>
> I'm attempting to hide a FTP server behind a Linux IPTables firewall using
> dnat but having problems
>
> thx!
>
>
> **********************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote also confirms that this email message has been swept by
> MIMEsweeper for the presence of computer viruses.
>
> **********************************************************************
>
>

RE: Passive FTP through IPTables DNAT

[Rob Sterenborg]

> Subject: Passive FTP through IPTables DNAT
> 
> 
> Does anyone have a working script for this? 
> I'm attempting to hide a FTP server behind a Linux IPTables 
> firewall using dnat but having problems 

Do you load the ip_conntrack_ftp and ip_nat_ftp modules ?

insmod ip_nat_ftp
insmod ip_conntrack_ftp

If so, and it doesn't work, what are your current rules ?


Rob

Re: Passive FTP through IPTables DNAT

[Cedric Blancher]

Le sam 06/03/2004 à 20:44, Rune a écrit :
> All  you need is having a forward rule for the ftp-data connection which
> uses the
> port below the ftp port e.g:
>     ftp at port 21
>     ftp-data at port 20

Nope. This is true for _active_ FTP, but passive ftp-data connection
uses non privilieged ports on both ends.

-- 
Cédric Blancher  <blancher@cartel-securite.fr>
Consultant en sécurité des systèmes et réseaux  - Cartel Sécurité
Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE