View previous topic :: View next topic |
Author |
Message |
Swell° n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 01 Dec 2003 Posts: 69
|
Posted: Sat Mar 05, 2005 11:02 am Post subject: Pb with iptables: unable to make port forwarding... |
|
|
Hello,
I have a problem, I tried yesterday for 2 hours to make port forwarding, i tried a lot of thing but nothing works
I have a ftp server running on a local machine 192.168.0.10
My router is 192.168.0.1
I want that internet user can connect to this ftp server
Here is my iptables configuration: eth0=internet, eth1=local
Code: |
iptables -F
iptables -X
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
|
I tried adding several lines
Code: |
iptables -A INPUT --protocol tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to-destination 192.168.0.10:21
|
But nothing works, what am i supposed to add and where?
Thanks a lot!
Last edited by Swell° on Sat Mar 05, 2005 12:19 pm; edited 1 time in total |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
j-m Retired Dev
![Retired Dev Retired Dev](/images/ranks/rank-retired.gif)
Joined: 31 Oct 2004 Posts: 975
|
Posted: Sat Mar 05, 2005 11:06 am Post subject: |
|
|
You need ip_nat_ftp and ip_conntrack_ftp kernel modules for this to work. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
Swell° n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 01 Dec 2003 Posts: 69
|
Posted: Sat Mar 05, 2005 12:21 pm Post subject: |
|
|
j-m wrote: | You need ip_nat_ftp and ip_conntrack_ftp kernel modules for this to work. |
Thanks, this modules are already loaded
What I want know is the iptables rules to forward Internet Traffice to my ftp server behind on the local machine behind the router
TIA! ![Smile :)](images/smiles/icon_smile.gif) |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
j-m Retired Dev
![Retired Dev Retired Dev](/images/ranks/rank-retired.gif)
Joined: 31 Oct 2004 Posts: 975
|
Posted: Sat Mar 05, 2005 12:23 pm Post subject: |
|
|
Swell° wrote: | j-m wrote: | You need ip_nat_ftp and ip_conntrack_ftp kernel modules for this to work. |
Thanks, this modules are already loaded
What I want know is the iptables rules to forward Internet Traffice to my ftp server behind on the local machine behind the router
TIA! ![Smile :)](images/smiles/icon_smile.gif) |
You probably need add SNAT rule for that. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
Swell° n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 01 Dec 2003 Posts: 69
|
Posted: Sat Mar 05, 2005 12:42 pm Post subject: |
|
|
j-m wrote: |
You probably need add SNAT rule for that. |
Ooch, I'm a not very familiar with iptables, can you give the iptables command please?
Thanks a lot for your help! |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
j-m Retired Dev
![Retired Dev Retired Dev](/images/ranks/rank-retired.gif)
Joined: 31 Oct 2004 Posts: 975
|
Posted: Sat Mar 05, 2005 1:50 pm Post subject: |
|
|
Swell° wrote: |
Ooch, I'm a not very familiar with iptables, can you give the iptables command please?
Thanks a lot for your help! |
It´s opposite to DNAT.
Quote: |
SNAT
This target is only valid in the nat table, in the POSTROUTING chain. It specifies that the source address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one option:
--to-source <ipaddr>[-<ipaddr>][:port-port]
which can specify a single new source IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies -p tcp or -p udp). If no port range is specified, then source ports below 512 will be mapped to other ports below 512: those between 1024 will be mapped to ports below 1024, and other ports will be mapped to 1024 or above. Where possible, no port alteration will occur.
|
|
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
Swell° n00b
![n00b n00b](/images/ranks/rank_rect_0.gif)
Joined: 01 Dec 2003 Posts: 69
|
Posted: Sat Mar 05, 2005 2:48 pm Post subject: |
|
|
Ok tanks a lot for your help! ![Very Happy :D](images/smiles/icon_biggrin.gif) |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
|