[LARTC] DNAT rule for vsftp (PASSIVE FTP)
Indunil Jayasooriya
indunil75 at gmail.com
Fri Oct 5 07:51:38 CEST 2007
Hi all,
I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as
passive ftp.
the theroy behind passive ftp is ,
- FTP server's port 21 from anywhere (Client initiates connection)
- FTP server's port 21 to ports > 1024 (Server responds to client's
control port)
- FTP server's ports > 1024 from anywhere (Client initiates data
connection to random port specified by server)
- FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs
(and data) to client's data port)
Then, How can I write DNAT rules.
pls assume 1.2.3.4 is the ip of the internert interface.
#DNAT from Internet to the box running VSFTP @ 192.168.100.3
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 21 -j DNAT
--to-destination 192.168.100.3:21
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 1024: -j
DNAT --to-destination 192.168.100.3
And also
#connect to below ip (actual destination ip) with below ports,due to DNATing
iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 21 -m state --state NEW
-j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 1024: -m state --state
NEW -j ACCEPT
R u okay with the above 4 rules ?
If WRONG, pls write down your rules. I am going to put this vsftp server in
to PRODUCTION USE.
Pls also make sure , my firewall has below rules such as DROP,
ESTABLISHED,RELATED.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
YOUR comments.
--
Thank you
Indunil Jayasooriya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ds9a.nl/pipermail/lartc/attachments/20071005/fc674455/attachment.htm
More information about the LARTC
mailing list