linux routing: can't connect to windows ftp server

[miyas]

hi,
i have installed a linux proxy. My local network (made of w2000 machines) can access internet through it without any pb.
I have my ftp server on one of the windows 2000 pc and i can't access it (connecting from internet).
I'm using GFTP Server. When i try to connect the ftp server, i've got a log on G6 that says that the ip of the machine trying to connect is 0.0.0.0.
I think that the problem comes from my iptables configuration. I shall need to make some redirection from linux to my windows ftp server, but i don't see how...

thanks for your help
Maxime

 

[ifincham]

Hi,

The answer would be different depending on whether your w2k box had it's own public IP address or whether it just had an internal lan ip address and your only public address was the internet connex on the linux proxy/firewall. Presumably, its the latter.

I'm not absolutely sure on this and I've no way of testing but I think you would need to use DNAT as follows :

/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to 172.16.16.2

In the above example 'eth1' would be the internet interface and '172.16.16.16.2' would be the internal machine you want to forward packets to. The problem with ftp is that once the server accepts a connex it inititates a (second) outgoing session on port 20 to the client. You therefore need to allow that too. You would use something like :

/sbin/iptables -A FORWARD -m state --state ESTABLISHED, RELATED -j ACCEPT

Incidentally, there is apparently an exploit that can take advantage of this kind of rule so be careful.

You might like to look at

http://muse.linuxmafia.org/gshield.html

which is the home of Gshield, a reasonably sophisticated iptables firewall/script generator.

Regards..

 

[miyas]

thx for your help, ifincham, but it still doesn't work...
i also tried the webside you gave me and i'm working on it and it's gonna take some time

Maxime

PS: if someone has other ideas, i'm opened to any sugestions