LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   IPTABLES : build NAT using IPTABLES (http://www.linuxquestions.org/questions/linux-networking-3/iptables-build-nat-using-iptables-173619/)

joseph 04-23-2004 04:05 AM

IPTABLES : build NAT using IPTABLES
 
Dear All,

I have : 30 pcs Windoze (98,2k,xp)
1 pc Linux Redhat 7.1 ( ftp server) --> ext ip : 211.23.112.25
int ip : 192.168.103.1


Now i want to configure my ftp server as NAT for my Windoze client.
I have setup iptables like this :

#Flush Previous Chains
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

#Default Policy is DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -p FORWARD FROP

iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i eth0 -s 0/0 -d 211.23.112.25/32 --destination-port 21 -j ACCEPT

iptables -A INPUT -i eth0 -s 0/0 -d 211.23.112.25/32 --destination-port 20 -j ACCEPT

iptables -A INPUT -i eth0 -s 0/0 -d 211.23.112.25/32 -j DROP



Anybody can tell me how i should add other script to let my windoze client able to access outside ftp site (not ours ftp) through this iptables ?

Please Help Me :cry:

maxut 04-23-2004 04:18 AM

eth0 : internet interface

try the following:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.103.0/24 -j SNAT --to 211.23.112.25

joseph 04-23-2004 04:25 AM

Quote:

Originally posted by maxut
eth0 : internet interface

try the following:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.103.0/24 -j SNAT --to 211.23.112.25

What is the meaning of the script above ?

Is this script will allow my windoze user to connect to other ftp site (e.g. ftp.sourceforge.org) and do the transfering data ?

How about if i want a specific user connect to the ftp site, others cannot
e.g 192.168.103.45 able to connect to ftp site but not the http and the other user unable to connect to ftp ot http


Thanks in advance :p

maxut 04-23-2004 05:02 AM

its not a script, it s just a command.

it allows all internet connection for 192.168.103.0/24. all ports.

if u wanna specify some clients or port do like this:
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 20:21 -s 192.168.103.45 -d ftp.souceforge.net -j SNAT -to 211.23.112.25

this will allow client 192.168.103.45 if it connects to ftp.sourceforge.net ftp service.

u better use squid. its cache proxy server. its easy to configure.

iptables web site : www.netfilter.org
squid web site : www.squid-cache.org

silver2003 04-23-2004 05:08 AM

You don't have any rules in the OUTPUT chain. So yot windoze when is tring to connect to the ftp site is sending a packet to the server in the INPUT chain and the server sends a packet to the ftp server and the packet that the server is sending goes to the OUTPUT chain, and we need to write some rules in OUTPUT chain.

Try seting this rule for the begining:

iptables -A OUTPUT -j ACCEPT

AND see what happen if you can connect to your ftp sercer


All times are GMT -5. The time now is 06:33 PM.