LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 04-23-2004, 04:05 AM   #1
joseph
Member
 
Registered: Jun 2003
Location: Batam
Distribution: Ubuntu 10 And Linux Mint
Posts: 414

Rep: Reputation: 30
IPTABLES : build NAT using IPTABLES


Dear All,

I have : 30 pcs Windoze (98,2k,xp)
1 pc Linux Redhat 7.1 ( ftp server) --> ext ip : 211.23.112.25
int ip : 192.168.103.1


Now i want to configure my ftp server as NAT for my Windoze client.
I have setup iptables like this :

#Flush Previous Chains
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

#Default Policy is DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -p FORWARD FROP

iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i eth0 -s 0/0 -d 211.23.112.25/32 --destination-port 21 -j ACCEPT

iptables -A INPUT -i eth0 -s 0/0 -d 211.23.112.25/32 --destination-port 20 -j ACCEPT

iptables -A INPUT -i eth0 -s 0/0 -d 211.23.112.25/32 -j DROP



Anybody can tell me how i should add other script to let my windoze client able to access outside ftp site (not ours ftp) through this iptables ?

Please Help Me
 
Old 04-23-2004, 04:18 AM   #2
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
eth0 : internet interface

try the following:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.103.0/24 -j SNAT --to 211.23.112.25
 
Old 04-23-2004, 04:25 AM   #3
joseph
Member
 
Registered: Jun 2003
Location: Batam
Distribution: Ubuntu 10 And Linux Mint
Posts: 414

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by maxut
eth0 : internet interface

try the following:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.103.0/24 -j SNAT --to 211.23.112.25
What is the meaning of the script above ?

Is this script will allow my windoze user to connect to other ftp site (e.g. ftp.sourceforge.org) and do the transfering data ?

How about if i want a specific user connect to the ftp site, others cannot
e.g 192.168.103.45 able to connect to ftp site but not the http and the other user unable to connect to ftp ot http


Thanks in advance
 
Old 04-23-2004, 05:02 AM   #4
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
its not a script, it s just a command.

it allows all internet connection for 192.168.103.0/24. all ports.

if u wanna specify some clients or port do like this:
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 20:21 -s 192.168.103.45 -d ftp.souceforge.net -j SNAT -to 211.23.112.25

this will allow client 192.168.103.45 if it connects to ftp.sourceforge.net ftp service.

u better use squid. its cache proxy server. its easy to configure.

iptables web site : www.netfilter.org
squid web site : www.squid-cache.org
 
Old 04-23-2004, 05:08 AM   #5
silver2003
LQ Newbie
 
Registered: Apr 2004
Location: Romania
Distribution: RedHat 7.3
Posts: 28

Rep: Reputation: 15
You don't have any rules in the OUTPUT chain. So yot windoze when is tring to connect to the ftp site is sending a packet to the server in the INPUT chain and the server sends a packet to the ftp server and the packet that the server is sending goes to the OUTPUT chain, and we need to write some rules in OUTPUT chain.

Try seting this rule for the begining:

iptables -A OUTPUT -j ACCEPT

AND see what happen if you can connect to your ftp sercer
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTables 1:1 NAT Garak Linux - Security 13 12-19-2011 05:03 PM
iptables nat kernelvn Linux - Networking 5 05-03-2005 11:39 AM
iptables and NAT arrruken Linux - Networking 8 10-03-2003 04:17 AM
IPtables +NAT daromer Linux - Networking 1 01-07-2002 11:15 AM
iptables, NAT and FTP cestor Linux - Security 10 01-04-2002 09:57 AM


All times are GMT -5. The time now is 07:51 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration