Hi Friends,
I have a debian system with 2 NIC's one with a public ip and another with a private ip, also i have a domain which is been pointed to the public ip address of this debian system.
What would happen is anyone on the net would ftp to the domain and reach this public IP.
Now what i want is to divert all ftp traffic comming to this public ip to anoher machine with a private ip address.
Someone said me that is possible through IPtables, but i don't know how to do it, i tried a lot but was not successfull, please if anyone is aware of this stuff, let me know. Regards,
Rajendra Rait.
On 1/23/06, Rajendra Rait rajendra.rait@gmail.com wrote:
Hi Friends,
I have a debian system with 2 NIC's one with a public ip and another with a private ip, also i have a domain which is been pointed to the public ip address of this debian system.
What would happen is anyone on the net would ftp to the domain and reach this public IP.
Now what i want is to divert all ftp traffic comming to this public ip to anoher machine with a private ip address.
Someone said me that is possible through IPtables, but i don't know how to do it, i tried a lot but was not successfull, please if anyone is aware of this stuff, let me know. Regards,
Rajendra Rait.
iptables -t nat -A PREROUTING -p tcp -d <external ip> --dport 63123 -j DNAT --to <internal-ip>:80 this command to redirect http port
to understand it man iptables
you can create your own for FTP port 20 and 21
may be u need to connect your forwarded ftp with passive connection,
-- ------------------------------------------------------------------------------- AbhiSawa
iptables -t nat -A PREROUTING -p tcp -d <external ip> --dport 63123 -j DNAT --to <internal-ip>:80
Hi,
I tried this command it didn't work
iptables -t nat -A PREROUTING -p tcp -d <external ip> --dport 21 -j DNAT --to <internal-ip>:21 iptables -t nat -A PREROUTING -p tcp -d <external ip> --dport 20 -j DNAT --to <internal-ip>:20
do i need to add any other lines to the script.
Regards,
Rajendra Rait, 91-9819330803
On 1/24/06, Rajendra Rait rajendra.rait@gmail.com wrote:
iptables -t nat -A PREROUTING -p tcp -d <external ip> --dport 63123 -j DNAT --to <internal-ip>:80
Hi,
I tried this command it didn't work
iptables -t nat -A PREROUTING -p tcp -d <external ip> --dport 21 -j DNAT --to <internal-ip>:21 iptables -t nat -A PREROUTING -p tcp -d <external ip> --dport 20 -j DNAT --to <internal-ip>:20
do i need to add any other lines to the script.
Regards,
Rajendra Rait, 91-9819330803 -- http://mm.ilug-bom.org.in/mailman/listinfo/linuxers
What do you mean that it didnt work ? what you tried ? what error you got ? what you did to check if its working or not ?
have you refered man page of iptables ?
Tell us something ?
-- ------------------------------------------------------------------------------- AbhiSawa
On Wed, Jan 25, 2006 at 09:17:18AM +0530, Abhishek Sawant wrote:
On 1/24/06, Rajendra Rait rajendra.rait@gmail.com wrote:
I tried this command it didn't work
iptables -t nat -A PREROUTING -p tcp -d <external ip> --dport 21 -j DNAT --to <internal-ip>:21 iptables -t nat -A PREROUTING -p tcp -d <external ip> --dport 20 -j DNAT --to <internal-ip>:20
What do you mean that it didnt work ? what you tried ? what error you got ? what you did to check if its working or not ?
Easy boy, he is trying.
have you refered man page of iptables ?
I'm sure he has, what you both don't seem to understand is the FTP protocol. Its not a simple protocol like HTTP or SMTP which you can easily redirect and get away with. Even if one uses passive mode FTP, the data connection port is decided by the FTP server. I don't know if "ip_nat_ftp" and "ip_conntrack_ftp" will work. I have only tried it for making FTP clients operate without barfing behind a NAT router. I'm sure it can be done the other way round as well, I guess. What I definitely have tried is `jftpgw' and it worked like a charm allowing FTP forwarding in both directions i.e., LAN->NAT->Internet as well as LAN<-NAT<-Internet.
Nosferatu!!!
On 1/25/06, Nosferatu!!! radid@myrealbox.com wrote:
On Wed, Jan 25, 2006 at 09:17:18AM +0530, Abhishek Sawant wrote:
On 1/24/06, Rajendra Rait rajendra.rait@gmail.com wrote:
I tried this command it didn't work
iptables -t nat -A PREROUTING -p tcp -d <external ip> --dport 21 -j
DNAT
--to <internal-ip>:21 iptables -t nat -A PREROUTING -p tcp -d <external ip> --dport 20 -j
DNAT
--to <internal-ip>:20
What do you mean that it didnt work ? what you tried ? what error you got ? what you did to check if its working or not ?
Easy boy, he is trying.
have you refered man page of iptables ?
I'm sure he has, what you both don't seem to understand is the FTP protocol. Its not a simple protocol like HTTP or SMTP which you can easily redirect and get away with. Even if one uses passive mode FTP, the data connection port is decided by the FTP server. I don't know if "ip_nat_ftp" and "ip_conntrack_ftp" will work. I have only tried it for making FTP clients operate without barfing behind a NAT router. I'm sure it can be done the other way round as well, I guess. What I definitely have tried is `jftpgw' and it worked like a charm allowing FTP forwarding in both directions i.e., LAN->NAT->Internet as well as LAN<-NAT<-Internet.
Nosferatu!!!
--
An anthropologist at Tulane has just come back from a field trip to New Guinea with reports of a tribe so primitive that they have Tide but not new Tide with lemon-fresh Borax. -- David Letterman
Visit http://www.google.com/search?q=failure
you raised valid point about "ip_nat_ftp" and "ip_conntrack_ftp" kernel modules.
with these two even behind natted firewall passive ftp works fine.
but atleast some one must get logged in without those modules and then cry for connect: Connection Refuse
-- ------------------------------------------------------------------------------- AbhiSawa
Nosferatu!!! wrote:
On Wed, Jan 25, 2006 at 09:17:18AM +0530, Abhishek Sawant wrote:
On 1/24/06, Rajendra Rait rajendra.rait@gmail.com wrote:
I tried this command it didn't work
iptables -t nat -A PREROUTING -p tcp -d <external ip> --dport 21 -j DNAT --to <internal-ip>:21 iptables -t nat -A PREROUTING -p tcp -d <external ip> --dport 20 -j DNAT --to <internal-ip>:20
I'm sure he has, what you both don't seem to understand is the FTP protocol. Its not a simple protocol like HTTP or SMTP which you can easily redirect and get away with. Even if one uses passive mode FTP, the data connection port is decided by the FTP server. I don't know if "ip_nat_ftp" and "ip_conntrack_ftp" will work. I have only tried it for making FTP clients operate without barfing behind a NAT router. I'm sure it can be done the other way round as well, I guess. What I definitely have tried is `jftpgw' and it worked like a charm allowing FTP forwarding in both directions i.e., LAN->NAT->Internet as well as LAN<-NAT<-Internet.
Nosferatu!!!
In addition to the rules given above, you also have to make your firewall stateful to allow related and established connections. Make keep state rules for the filter and the nat table as well.
-- Manish
-
Abhishek Sawant -
Manish Kathuria -
Nosferatu!!! -
Rajendra Rait