-- snip --
# some definitions
GW_EXT_IFACE = "eth0" # gateway external i-face
GW_INT_IFACE = "eth1" # gateway internal i-face
GW_EXT_IP = "212.234.12.56" # gateway external IP
GW_INT_IP = "10.12.12.1" # gateway internal IP
FTP_IP = "10.12.12.57" # ftp host IP
FTP_PORT = "21"
# begin
# nat table, PREROUTING chain, that's the place we do
destination NAT
iptables -t nat -A PREROUTING -i $GW_EXT_IFACE -p tcp
--dport $FTP_PORT \
-j DNAT --to-destination $FTP_IP
# FORWARD chain ( I skip INPUT coz we don't need it in this
example )
iptables -P FORWARD DROP # set the default policy of the
chain
# get advantage of iptables connection tracking module
# all ESTABLISHED or RELATED connections coming from
internet are accepted
iptables -A FORWARD -i $GW_EXT_IFACE -o $GW_INT_IFACE -p tcp
\
-m state --state RELATED,ESTABLISHED -j ACCEPT
# allow connection from internet to the ftp internal host
iptables -A FORWARD -i $GW_EXT_IFACE -o $GW_INT_IFACE -p tcp
\
-d $FTP_IP --dport $FTP_PORT -j ACCEPT
# all left RELATED (like ftp-data) and already ESTABLISHED
connections from the ftp internal host to the internet are
accepted
iptables -A FORWARD -i $GW_INT_IFACE -o $GW_EXT_IFACE -p tcp
\
-s $FTP_IP -m state --state RELATED,ESTABLISHED -j ACCEPT
-- snip --
P.S. There's no need to "mersi predwaritelno" my friend ;-)
Cheerz.
|