[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] conversion from ipchains to iptables


You seem to be asking a  couple of questions.

1. Active FTp will not work unless you do a static NAT mapping to the
machines on the inside for the ftp ports.  This would be a lot of trouble
where a simple fix would be to just make the client software passive ftp.
Also, you may have some security concerns with active ftp.  Please note
that Win OSes as well as Unix from the command prompt do active ftp by
default; I don't think it will work active on NAT without static
translation. To me, this is more trouble than it would be worth.

Personally I would not use MASQ. Try something like the following instead!

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source

The 204.x.x.x would be the ip address of the eth0 interface of your

The following takes care of any packets before going out on the Internet.
I assume you want to let the packets go out on port 80 to your local web
server without going through the proxy.  I think your eth1 was kind of
messing you up???

/sbin/iptables -t nat -A PREROUTING -p tcp -d !204.x.x.x  --dport 80
-j REDIRECT --to-ports 3128

Also, I don't know if your default policy statement is really doing any
good.  It gets real complex quick once you start doing deny policy
statements on your iptables or chains.  Not that this is bad, but you need
to think in terms of traffic coming in on both interfaces; this will take
you a while!

I think iptables does a better job than ipchains once you get to know it!


Mike Danahy
NOC Director Education Service Unit #2
Fremont, NE

On Mon, 3 Jun 2002, Andy Hall wrote:

> Good morning!
> I've updated our firewall to RH 7.2 and now I want to convert from ipchains
> to iptables so some users can use FTP in some applications - won't work in
> ipchains because of NAT.  I'm having trouble getting our transparent
> redirect to work correctly and thought someone might be able to help?
> Here's what I have for basic rules I'm working with right now:
> ############################
> #eth0 == private side (10.x.x.x)
> #eth1 == public side (204.x.x.x)
> iptables -P INPUT DROP
> iptables -A INPUT -s 10.x.x.0/24 -j ACCEPT
> iptables -A INPUT -s 204.x.x.0/24 -j ACCEPT
> iptables -A OUTPUT -d 10.x.x.0/24 -j ACCEPT
> iptables -A OUTPUT -d 204.x.x.0/24 -j ACCEPT
> iptables -t nat -A POSTROUTING -o eth1 -d ! 10.x.x.0/24 -j MASQUERADE
> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 REDIRECT --to-port 3218
> #At this point I need to load the mod. so FTP will work with iptables.
> ###################
> This all seems good till it comes to that last line with the
> REDIRECT.  That doesn't want to work, and so everyone gets around the
> squid/squidguard box.
> Thanks for any and all help!
> Andy
> Andy Hall, Technology Director
> Wellington-Napoleon R-9 School District
> Wellington, MO  64097
> (816)240-2621; fax (816)934-8649
> _______________________________________________
> K12OSN mailing list
> K12OSN redhat com
> https://listman.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]