Bonjour,
Malgrès mes différentes recherches sur la toile, je n'arrive pas à configurer mon script Netfilter afin qu'il laisse passer les utilisateurs (du lan vert) qui souhaitent accèder à un serveur ftp (que je n'administre pas) qui est configuré pour se connecter en mode ftp passif.
voici mon une partie script ainsi qu'un état des modules lancés
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
red=eth2
green=eth0
blue=eth1
#Protocoles
http=80,81,8080
https=443
ftp=20,21
ftps=989
pop=110
imap=143,220
imaps=993
smtp=25,2525
time=123,37,119
pxe=67
snmp=161
epmap=135
isakmp=500
ldap=389,636,3268,3269
dns=53
cifs=445,901
kerberos=88
wins=1512,42
# GREEN -> RED
iptables -A CUSTOMFORWARD -i $green -o $red -j DROP
iptables -I CUSTOMFORWARD -i $green -o $red -p tcp -m multiport --dports $http,$https -j ACCEPT
iptables -I CUSTOMFORWARD -i $green -o $red -p tcp -m multiport --dports $ftp,$ftps -j ACCEPT
iptables -I CUSTOMFORWARD -i $green -o $red -p udp -m multiport --dports $ftp,$ftps -j ACCEPT
iptables -I CUSTOMFORWARD -i $green -o $red -p tcp -m multiport --dports $pop,$imap,$imaps,$smtp -j ACCEPT
iptables -I CUSTOMFORWARD -i $green -o $red -p tcp -m multiport --dports $time -j ACCEPT
iptables -I CUSTOMFORWARD --protocol tcp --destination-port $ftp -j ACCEPT
iptables -I CUSTOMFORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I CUSTOMFORWARD -i $green -o $red -p icmp -j ACCEPT
......
Liste des modules lancés
Module Size Used by Not tainted
ipt_REDIRECT 696 1 (autoclean)
ipsec_twofish 35332 0 (unused)
ipsec_sha2 7800 0 (unused)
ipsec_sha1 18488 2
ipsec_serpent 11076 0 (unused)
ipsec_md5 4440 0 (unused)
ipsec_cast 15748 0 (unused)
ipsec_blowfish 8420 0 (unused)
ipsec_aes 31624 2
ipsec_3des 17052 0 (unused)
ipsec 255300 2 [ipsec_twofish ipsec_sha2 ipsec_sha1 ipsec_serpent ipsec_md5 ipsec_cast ipsec_blowfish ipsec_aes ipsec_3des]
ipt_MASQUERADE 1272 1 (autoclean)
ipt_multiport 600 12 (autoclean)
ip_nat_ftp 2448 0 (unused)
ip_conntrack_ftp 3568 1
ipt_mark 440 2 (autoclean)
ipt_TCPMSS 2168 1 (autoclean)
ipt_state 504 16 (autoclean)
ipt_REJECT 2968 1 (autoclean)
ipt_LOG 3616 9 (autoclean)
ipt_limit 792 9 (autoclean)
iptable_mangle 2008 1 (autoclean)
iptable_filter 1612 1 (autoclean)
8139too 13128 3
mii 2112 0 [8139too]
crc32 2880 0 [8139too]
ip_nat_quake3 1800 0 (unused)
ip_conntrack_quake3 1896 1
ip_nat_proto_gre 1092 0 (unused)
ip_nat_pptp 2148 0 (unused)
ip_conntrack_pptp 2601 1
ip_conntrack_proto_gre 1973 0 [ip_nat_pptp ip_conntrack_pptp]
ip_nat_mms 2672 0 (unused)
ip_conntrack_mms 2832 1
ip_nat_irc 1968 0 (unused)
ip_conntrack_irc 2768 1
ip_nat_h323 2372 0 (unused)
ip_conntrack_h323 2153 1
iptable_nat 15878 8 [ipt_REDIRECT ipt_MASQUERADE ip_nat_ftp ip_nat_quake3 ip_nat_proto_gre ip_nat_pptp ip_nat_mms ip_nat_irc ip_nat_h323]
ip_conntrack 18928 7 [ipt_REDIRECT ipt_MASQUERADE ip_nat_ftp ip_conntrack_ftp ipt_state ip_nat_quake3 ip_conntrack_quake3 ip_nat_pptp ip_conntrack_pptp ip_conntrack_proto_gre ip_nat_mms ip_conntrack_mms ip_nat_irc ip_conntrack_irc ip_nat_h323 ip_conntrack_h323 iptable_nat]
ip_tables 10976 14 [ipt_REDIRECT ipt_MASQUERADE ipt_multiport ipt_mark ipt_TCPMSS ipt_state ipt_REJECT ipt_LOG ipt_limit iptable_mangle iptable_filter iptable_nat]
acm 5120 0 (unused)
keybdev 1764 0 (unused)
hid 19908 0 (unused)
input 3104 0 [keybdev hid]
sd_mod 10284 0 (unused)
usb-storage 24624 0 (unused)
scsi_mod 52920 1 [sd_mod usb-storage]
usb-uhci 20528 0 (unused)
usbcore 56236 1 [acm hid usb-storage usb-uhci]
apm 8644 0
Configuration: Windows Vista
Internet Explorer 7.0
Clé adsl configuration client ftp
