User:Karabatikos/Sandbox

A linux PC with two network cards, ftp from one subnet to the other
I have the following setup:

Desktop (Debian Squeeze) eth1 (fixed) 192.168.0.32 - router (192.168.0.3) - ISP eth0 (fixed) 172.17.2.1                   | |                                   |      |                                    | Laptop1 (Ubuntu Maverick)              Laptop2 (Windows XP) eth0 (fixed ip) 172.17.2.100          dhcp (wireless card) 192.168.0.104

Desktop and Laptop1 have web servers running. Laptop2 har a filezilla ftp server running. At this stage, Laptop1 can access the web server of Desktop, and Desktop can access the web server of Laptop1 (by ip-addresses). Desktop can access the ftp-server of Laptop2. There is no connectivity between the 192.168.0.* and the 172.17.2.* networks.

Based on this i did the following: (On Desktop, as root) echo "1" > /proc/sys/net/ipv4/ip_forward

/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE /sbin/iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

Desktop auto lo iface lo inet loopback

auto eth1 iface eth1 inet static address 192.168.0.32 netmask 255.255.255.0 gateway 192.168.0.3

auto eth0 iface eth0 inet static address 172.17.2.1 netmask 255.255.255.0 Laptop1 auto lo iface lo inet loopback

auto eth0 iface eth0 inet static address 172.17.2.100 netmask 255.255.255.0 gateway 172.17.2.1

Now, Laptop1 can access the router (by ip) and the internet (by ip address only, I nslookup'ed some sites from Desktop and tested them on Laptop1). Getting DNS lookup to work on Laptop1 is not important now. However, ftp from Laptop1 to Laptop2 (using ip-address 192.168.0.104) did not work correctly. I was allowed to log in, but when doing "ls" or "dir", I get the message 150 Opening data channel for directory list. And nothing more happens. It just hangs forever. I tried modifying the iptables rules to /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT /sbin/iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT but that made no difference. After some googling, I found out that using ftp passive mode would solve the problem, i.e. ftp -p 192.168.0.104 and ftp works.


 * He he, one problem gets solved after another while preparing the question. Maybe everything will be solved before I ever get to posting this :-)

xxxxxxxxxxxxxxxxxxxxxxxxxxx

I have read this HOWTO about building a linux bridging firewall, but that is not the setup I'm trying to achieve.