iptables nat ftp

0

0
Есть сервер, 2 интерфейса один в инете другой в локальной сети Как настроить ftp доступ из локалки и чтобы он иог быть активным и пассивным вот мой iptables-save -с:
# Generated by iptables-save v1.2.7a on Mon Dec 12 14:38:35 2005
*mangle
:PREROUTING ACCEPT [4573646:1233798380]
:INPUT ACCEPT [4519762:1229909578]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5329462:2223246385]
:POSTROUTING ACCEPT [5331901:2223835243]
COMMIT
# Completed on Mon Dec 12 14:38:35 2005
# Generated by iptables-save v1.2.7a on Mon Dec 12 14:38:35 2005
*nat
:PREROUTING ACCEPT [102005:9592669]
:POSTROUTING ACCEPT [6336:618526]
:OUTPUT ACCEPT [124311:8518754]
[34754:1671884] -A PREROUTING -d ! 80.82.42.40/255.255.255.248 -i ppp+ -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
[118002:7901308] -A POSTROUTING -o eth0 -j SNAT --to-source 80.82.42.42
COMMIT
# Completed on Mon Dec 12 14:38:35 2005
# Generated by iptables-save v1.2.7a on Mon Dec 12 14:38:35 2005
*filter
:INPUT DROP [12887:1467120]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:allowed - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_packets - [0:0]
:udp_packets - [0:0]
[2838603:996179271] -A INPUT -p tcp -j bad_tcp_packets
[822527:91479334] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -s 127.0.0.0/255.0.0.0 -j DROP
[0:0] -A INPUT -d 127.0.0.0/255.0.0.0 -j DROP
[1626:392572] -A INPUT -s 80.82.42.42 -i eth0 -j DROP
[0:0] -A INPUT -s 80.82.32.48 -j ACCEPT
[1018021:130481125] -A INPUT -i ppp+ -j ACCEPT
[1195672:175234711] -A INPUT -d 192.168.1.1 -m state --state RELATED,ESTABLISHED -j ACCEPT
[1436:475350] -A INPUT -i eth1 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
[66:3168] -A INPUT -i eth1 -p tcp -m tcp --dport 137:139 -j ACCEPT
[51631:6290153] -A INPUT -i eth1 -p udp -m udp --dport 137:139 -j ACCEPT
[7573:360394] -A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -p tcp -j tcp_packets
[5268:433204] -A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -p udp -j udp_packets
[69:4150] -A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -p icmp -j icmp_packets
[1363501:819919942] -A INPUT -d 80.82.42.42 -m state --state RELATED,ESTABLISHED -j ACCEPT
[33035:3068166] -A INPUT -d 80.82.42.43 -m state --state RELATED,ESTABLISHED -j ACCEPT
[15242:827856] -A INPUT -i eth0 -p tcp -j tcp_packets
[2857:845668] -A INPUT -i eth0 -p udp -j udp_packets
[942:77004] -A INPUT -i eth0 -p icmp -j icmp_packets
[12886:1467080] -A INPUT -j LOG --log-prefix "Blocked in INPUT chain: " --log-level 6
[0:0] -A FORWARD -p tcp -j bad_tcp_packets
[0:0] -A FORWARD -i eth1 -j DROP
[0:0] -A FORWARD -i ppp+ -j ACCEPT
[0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -j LOG --log-prefix "Blocked in FORWARD chain: " --log-level 6
[807510:88472189] -A OUTPUT -s 127.0.0.1 -j ACCEPT
[1704570:1001725579] -A OUTPUT -s 192.168.1.1 -j ACCEPT
[1341839:230276547] -A OUTPUT -s 80.82.42.42 -j ACCEPT
[34866:15216549] -A OUTPUT -s 80.82.42.43 -j ACCEPT
[1440663:887550149] -A OUTPUT -s 192.168.25.1 -j ACCEPT
[0:0] -A OUTPUT -j LOG --log-prefix "Blocked in OUTPUT chain: " --log-level 6
[9256:493804] -A allowed -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
[4302:203314] -A allowed -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
[48:12910] -A allowed -p tcp -j LOG --log-prefix "Blocked in ALDW chain: " --log-level 6
[48:12910] -A allowed -p tcp -j DROP
[52:2360] -A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j LOG --log-prefix "Blocked in BTP chain: " --log-level 7
[52:2360] -A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
[1008:80930] -A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT
[2:112] -A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
[1:112] -A icmp_packets -p icmp -j LOG --log-prefix "Blocked in ICP chain: " --log-level 6
[330:19608] -A tcp_packets -p tcp -m tcp --dport 21:22 -j allowed
[3139:210158] -A tcp_packets -p tcp -m tcp --dport 80 -j allowed
[186:8968] -A tcp_packets -p tcp -m tcp --dport 3128 -j allowed
[0:0] -A tcp_packets -s 192.168.25.0/255.255.255.0 -p tcp -m tcp --dport 110 -j allowed
[4226:176165] -A tcp_packets -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 110 -j allowed
[1:48] -A tcp_packets -s 80.82.0.0/255.255.0.0 -p tcp -m tcp --dport 110 -j allowed
[8:384] -A tcp_packets -p tcp -m tcp --dport 143 -j allowed
[5484:283561] -A tcp_packets -p tcp -m tcp --dport 25 -j allowed
[7:336] -A tcp_packets -p tcp -m tcp --dport 53 -j allowed
[0:0] -A tcp_packets -p tcp -m tcp --sport 53 --dport 1024:65535 -j allowed
[0:0] -A tcp_packets -p tcp -m tcp --sport 21 -j allowed
[225:10800] -A tcp_packets -p tcp -m tcp --dport 1723 -j allowed
[9209:478222] -A tcp_packets -p tcp -j LOG --log-prefix "Blocked in TP chain: " --log-level 6
[4578:296608] -A udp_packets -p udp -m udp --dport 53 -j ACCEPT
[103:7362] -A udp_packets -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
[3444:974902] -A udp_packets -p udp -j LOG --log-prefix "Blocked in UP chain: " --log-level 6
COMMIT
# Completed on Mon Dec 12 14:38:35 2005
может тут что подправить?
Ссылка
Для начала
# modprobe ip_conntrack_ftp
Потом
#iptables -t filter -A FORWARD -p tcp --dport 21 -m state --state NEW -j ACCEPT
Добавь куда-нибудь, чтобы эти строчки при старте выполнялась. И все.
А вообще помогает: http://gazette.linux.ru.net/rus/articles/index-iptables-tutorial.html
marten ★
(12.12.05 18:30:11 MSK)
Вдогонку: надо также # modprobe ip_nat_ftp
marten ★
(12.12.05 18:46:38 MSK)
Похожие темы
