How would I combine Related connections an MASQ/NAT? (linux 2.4/iptables)

[Buddha Bart]

I've found howto's and articles on either topic independantly, but not combined. Essentially I want to be able to use active-mode ftp from behind my gateway.

Here's my current "firewall" script if it helps.

### Begin ###
/sbin/modprobe iptable_nat
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
### End ###

(route verification and ipforwarding are turned on elsewhere)

bart

 

[N11]

I believe you are goingto want to utilize the --state flag with related -- this is not my expertise but here is an article with a section covering active-mode

http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html

 

[Buddha Bart]

yea I read that one, but I don't understand enough to combine it with NAT.

That one is based on a default-deny firewall, and designed to allow related connections through the deny rules.

I need something that can listen for the PORT command in an FTP session, and forward that port to the NAT'd client.

bart

 

[Nothinman]

For ipchains there's a kernel module that does the watching/modifying of FTP commands seperate from ipchains, maybe iptables has one too?

 

[Buddha Bart]

Originally posted by: Nothinman
For ipchains there's a kernel module that does the watching/modifying of FTP commands seperate from ipchains, maybe iptables has one too?

Thats exactly what I was thinking, but I haven't been able to find anything. The closest was this http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-5.html#ss5.2
but its very short, talks mostly of fxp, and is in a section on "new" connection tracking things. Where are the old ones!?!

bart

 

[N11]

the ip_conntrack_ftp module will not meet your needs?