Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've been working on this for days, and it's driving me nuts. Router computer has EXTIF eth0 and INTIF eth1. eth1 is set to 192.168.0.1 and assigns an address 192.168.0.2 to a dedicated machine on the switch and 192.168.0.3-192.168.0.5 to any other computers that connect to the switch. Trying to allow ftp connections to the exteranl address to the internal computer at the fixed address. iptables are set something like this.
Code:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth0 -j DROP
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 20:21 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
I know I forgot something because there should be a destination 192.168.0.2 somewhere. I'm still looking this up, but any help you could give would be appreciated.
Do you have ip_conntrack_ftp and ip_nat_ftp kernel modules loaded? Also, what is the behavior when you attempt to connect? Timeout, connection refused, or connect and then error?
Correction, problem was in forward after mucking around. Original rules I listed plus the prerouting worked. Thanks, man. Have I told you how awesome you are lately?
I think the problem I was on the last time I talked to you was getting my domain name to work correctly. That seems to be working now. Since ftp now works past the gateway, other services shouldn't be a problem especially since I now have my own howto on this thread. I still haven't gotten a mail server up, but I did get qmail installed. The only problem I have left is here http://www.linuxquestions.org/questi...d.php?t=466488. It's confusing me to death especially since after trying to get this thing up all weekend, it randomly decided to work yesterday. I went ahead and bought another 400 GB drive on Saturday so I can get it back up next week, but I'm still going to format and then RMA the old drive. It's just giving me too many problems. I burned through about 40 dvds yesterday trying to finish up my backups now while it's working and still have a few to go. Unfortunately, I'm down to my last 10 dvds, so I've got to go pick up more. Once it's all said and done, I'll have 6 400 GB SATA drives running. I'm considering putting 3 in a RAID 5, but I haven't even touched on that idea yet. When prices go down (not any time soon), I want to pick up 2 750 GB drives, but that'll be a good, long while from now.
Last question on the subject, would it be considered bad form to put a script in rc.local to flush and reload the iptables rules on bootup rather than save and restore?
My port forwarding stopped working. I put all of the rules in a script.
Code:
#!/bin/sh
echo "1" > /proc/sys/net/ipv4/ip_forward
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
EXTIF="eth0"
INTIF="eth1"
iptables -P INPUT DROP
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -F -t nat
# Flush the user chain.. if it exists
if [ "`iptables -L | grep drop-and-log-it`" ]; then
iptables -F drop-and-log-it
fi
# Delete all User-specified chains
iptables -X
# Reset all IPTABLES counters
iptables -Z
# Creating a DROP chain
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-level info
iptables -A drop-and-log-it -j REJECT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $INTIF -j ACCEPT
iptables -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $EXTIF -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i $EXTIF -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i $EXTIF -o $EXTIF -j DROP
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 20:21 -j ACCEPT
iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 5901 -j ACCEPT
iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 6881:6999 -j ACCEPT
#iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 20:21 -j DNAT --to-destination 192.168.0.2
iptables -t nat -A PREROUTING -p tcp --dport 5900 -j DNAT --to-destination 192.168.0.2:5901
iptables -t nat -A PREROUTING -p tcp --dport 6881:6999 -j DNAT --to-destination 192.168.0.2
#iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 192.168.0.2:22
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
Notice the comment on forwarding port 22 to the internal computer. If it is commented, I can ssh to the gateway machine. If the port is forwarded, it times out. What's missing?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
