<br><br><div><span class="gmail_quote">On 10/5/07, <b class="gmail_sendername">John R Pierce</b> <<a href="mailto:pierce@hogranch.com">pierce@hogranch.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Indunil Jayasooriya wrote:<br>><br>> Hi all,<br>><br>> I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as<br>> passive ftp.<br>><br>> the theroy behind passive ftp is ,<br>><br>
<br>except, passive vs active is the choice the CLIENT not the server. the<br>only way to properly handle both modes is to parse the FTP commands on<br>the control port (21) and setup/teardown port forwards on dynamic ports
<br>as needed.<br><br>if you use the ip_nat_ftp module, this is all taken care of<br>automatically and both transfer modes should work, you'll simply need to<br>forward the control port.</blockquote><div><br>Thanks, That means below 2 rules will be enough.
<br><br><span class="q">ptables -t nat -A PREROUTING -p tcp -i eth0 -d <a href="http://1.2.3.4/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
1.2.3.4</a> --dport 21 -j DNAT --to-destination <a href="http://192.168.100.3:21/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.100.3:21
</a><br><br></span><span class="q">iptables -A FORWARD -p tcp -d <a href="http://192.168.100.3/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.100.3</a> --dport 21 -m state --state NEW -j ACCEPT
<br>
</span><br></div>Am I right? <br><br><br><div><br><br> </div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">_______________________________________________
<br>CentOS mailing list<br><a href="mailto:CentOS@centos.org">CentOS@centos.org</a><br><a href="http://lists.centos.org/mailman/listinfo/centos">http://lists.centos.org/mailman/listinfo/centos</a><br></blockquote></div><br>
<br clear="all"><br>-- <br>Thank you<br>Indunil Jayasooriya<br>