Problem setting up ftp server inside lan (iptables)

Discussion in 'Linux Networking' started by Sam, Aug 16, 2004.

  1. Sam

    Sam Guest

    Hi,

    I am trying to set up my ftp server located inside my lan. It thought
    everything has been done, but when I try to access the ftp server from
    the outside, it fails.

    There's got to be something I'm missing here. Any help would be very
    appreciated.

    Thanks,

    Sam



    Here are the rules in iptables:

    *********

    WAN=$(nvram_get wan_ifname)

    IPT=/usr/sbin/iptables

    for T in filter nat mangle ; do
    $IPT -t $T -F
    $IPT -t $T -X
    done

    $IPT -t filter -A INPUT -m state --state INVALID -j DROP
    $IPT -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    $IPT -t filter -A INPUT -p icmp -j ACCEPT
    $IPT -t filter -A INPUT -i $WAN -p tcp -j REJECT --reject-with
    tcp-reset
    $IPT -t filter -A INPUT -i $WAN -j REJECT --reject-with
    icmp-port-unreachable
    $IPT -t filter -A FORWARD -m state --state INVALID -j DROP
    $IPT -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j
    ACCEPT
    $IPT -t filter -A FORWARD -i $WAN -m state --state NEW,INVALID -j DROP

    $IPT -t nat -A POSTROUTING -o $WAN -j MASQUERADE

    ****

    I added the following to redirect port 20 and 21, and 10000-12000
    (passive port range)

    iptables -t nat -A PREROUTING -p tcp --dport 20 -j DNAT
    --to-destination 192.168.1.20:20

    iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT
    --to-destination 192.168.1.20:21

    iptables -t nat -A PREROUTING -p tcp --dport 10000:12000 -j DNAT
    --to-destination 192.168.1.20
     
    Sam, Aug 16, 2004
    #1
    1. Advertisements

  2. Sam

    vhu Guest

    Sam wrote:
    ( .. snip .. )
    Add these lines here:

    $IPT -t filter -A FORWARD -i $WAN -d 192.168.1.20 -p tcp --dport 21 -j
    ACCEPT

    Line above is needed as the next rule drops all new connections from WAN
    to LAN.
     
    vhu, Aug 16, 2004
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.