Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I am currently attempting and failing to get the following setup to work.
I have a client behind an iptables firewall which is also source and destination NATting the private address of the client to a real world address.
Providing the forwarding rule is in place, everything works fine -except ftp which establishes the command channel connection but can't do the data channel ( I have tried both PORT and PASV modes) . I ahve the following iptables rule which is meant to allow this but does not:
iptables -I FORWARD -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
but I see the following being dropped (192.168.0.5 is the client):
loaded surely they should do it? - I cannot see the module you mentioned- I am using RedHat 7.2
But I assume redhat was already smart enough to do that for you.
The rule you stated in the first message doesn't help much because as far as my knowledge of iptables goes it looks like it's forwarding port 1024.
And if you look at the packet that is dropped it has source port 1886 and destination port 1168. That's the whole thing about ftp which makes it use different ports all the time which makes it hard to masquerade. Those modules are supposed to handle all that for you so you won't need any forwarding rules. All you have to do is make sure those modules work properly. But from the information I have now I can't really see if they are doing anything or not.
If you run lsmod do you actually see them running?
Oh yeah I guess I overlooked the : on the ports. They've got that in ipchains too so I should have known.
I guess I should start using iptables myself since the syntax is pretty similar and it offers a bunch of extra features. I guess I'll add it to my list of projects to complete on a rainy sunday.