From: Leonardo Carneiro <lscarneiro@veltrac.com.br>
To: netfilter@vger.kernel.org
Subject: ftp port forwarding
Date: Wed, 20 May 2009 15:47:51 -0300 [thread overview]
Message-ID: <4A145057.7040900@veltrac.com.br> (raw)
Hi fellows,
i'm having a (very basic and noob) problem.
i have a server on a internal network running a ftp server
authenticating on a ldap backend. the ftp setup is running fine and i
can access when i'm on the internal network or over the openvpn link
that links my network with the server network (btw, the openvpn server
runs on the same machine).
but i need to my users to have access to this service over the internet.
the gateway of that network is a linux box with 2 internet links. i've
put the following rules on the iptables script:
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $LAN_IFACE --dport 21
-j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE_DIN -o $LAN_IFACE --dport
21 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $LAN_IFACE --dport 20
-j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE_DIN -o $LAN_IFACE --dport
20 -j ACCEPT
(INET_IFACE is the interface with the static ip and low bandwitch,
INET_IFACE_DIN is the interface with dynamic ip (and a dynamic dns
running on it) and higher bandwitch.)
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $INET_IP
--dport 21 -j DNAT --to-destination $FTPSERVER
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE_DIN -d
$INET_IP_DIN --dport 21 -j DNAT --to-destination $FTPSERVER
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $INET_IP
--dport 20 -j DNAT --to-destination $FTPSERVER
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE_DIN -d
$INET_IP_DIN --dport 20 -j DNAT --to-destination $FTPSERVER
$IPTABLES -t mangle -A PREROUTING -p TCP -i $LAN_IFACE -s
$FTPSERVER/32 --sport 21 -d 0/0 -j MARK --set-mark 1
$IPTABLES -t mangle -A PREROUTING -p TCP -i $LAN_IFACE -s
$FTPSERVER/32 --sport 20 -d 0/0 -j MARK --set-mark 1
(mark 1 send the ftp traffic through the higher bandwitch interface
INET_IFACE_DIN)
i tried to connect over the internet, while running tcpdump on the
ftpserver. the server exchange packets with the client, but do not
stabilish a connection. is there something wrong with the rules?
--
*Leonardo de Souza Carneiro*
*Veltrac - Tecnologia em Logística.*
lscarneiro@veltrac.com.br <mailto:lscarneiro@veltrac.com.br>
http://www.veltrac.com.br <http://www.veltrac.com.br/>
/Fone Com.: (43)2105-5601/
/Av. Higienópolis 1601 Ed. Eurocenter Sl. 803/
/Londrina- PR/
/Cep: 86015-010/
next reply other threads:[~2009-05-20 18:47 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-20 18:47 Leonardo Carneiro [this message]
2009-05-20 20:30 ` ftp port forwarding Leonardo Carneiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A145057.7040900@veltrac.com.br \
--to=lscarneiro@veltrac.com.br \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox