IPTABLES : build NAT using IPTABLES

joseph · 04-23-2004, 05:05 AM

Dear All,

I have : 30 pcs Windoze (98,2k,xp)
1 pc Linux Redhat 7.1 ( ftp server) --> ext ip : 211.23.112.25
int ip : 192.168.103.1

Now i want to configure my ftp server as NAT for my Windoze client.
I have setup iptables like this :

#Flush Previous Chains
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

#Default Policy is DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -p FORWARD FROP

iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i eth0 -s 0/0 -d 211.23.112.25/32 --destination-port 21 -j ACCEPT

iptables -A INPUT -i eth0 -s 0/0 -d 211.23.112.25/32 --destination-port 20 -j ACCEPT

iptables -A INPUT -i eth0 -s 0/0 -d 211.23.112.25/32 -j DROP

Anybody can tell me how i should add other script to let my windoze client able to access outside ftp site (not ours ftp) through this iptables ?

Please Help Me

maxut · 04-23-2004, 05:18 AM

eth0 : internet interface

try the following:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.103.0/24 -j SNAT --to 211.23.112.25

joseph · 04-23-2004, 05:25 AM

Quote:

Originally posted by maxut
eth0 : internet interface

try the following:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.103.0/24 -j SNAT --to 211.23.112.25

What is the meaning of the script above ?

Is this script will allow my windoze user to connect to other ftp site (e.g. ftp.sourceforge.org) and do the transfering data ?

How about if i want a specific user connect to the ftp site, others cannot
e.g 192.168.103.45 able to connect to ftp site but not the http and the other user unable to connect to ftp ot http

Thanks in advance

maxut · 04-23-2004, 06:02 AM

its not a script, it s just a command.

it allows all internet connection for 192.168.103.0/24. all ports.

if u wanna specify some clients or port do like this:
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 20:21 -s 192.168.103.45 -d ftp.souceforge.net -j SNAT -to 211.23.112.25

this will allow client 192.168.103.45 if it connects to ftp.sourceforge.net ftp service.

u better use squid. its cache proxy server. its easy to configure.

iptables web site : www.netfilter.org
squid web site : www.squid-cache.org

silver2003 · 04-23-2004, 06:08 AM

You don't have any rules in the OUTPUT chain. So yot windoze when is tring to connect to the ftp site is sending a packet to the server in the INPUT chain and the server sends a packet to the ftp server and the packet that the server is sending goes to the OUTPUT chain, and we need to write some rules in OUTPUT chain.

Try seting this rule for the begining:

iptables -A OUTPUT -j ACCEPT

AND see what happen if you can connect to your ftp sercer