dst and src nat NEED help

Deluxe · February 16, 2007, 12:07pm

This is my setup

chain=dstnat dst-address=80.x.x.70 action=dst-nat
to-addresses=192.168.0.10 to-ports=0-65535

chain=srcnat src-address=192.168.0.10 action=src-nat
to-addresses=80.x.x.70 to-ports=0-65535

on 192.168.0.10 I bild apache and ftp server (someting like web site)
From Outsite world thay can ping adress 80.x.x.70 thay can acces via explorer (port 80)
My problem is thay can’t acces via ftp or we try also telnet or ssh (from outside world) it’s not working only from inside i meen local evryting work

Is there some firewall rule that block telnet or ftp or i shuld add some rull in Firewall->filter pls for help
Thx.

fatonk · February 16, 2007, 12:35pm

Hi

Check your firewall configuration, in filter chain you can specify what you can deny or allow, post you firewall configuration here in order to find any possible misconfiguration.

Regards.

Faton

Deluxe · February 16, 2007, 12:56pm

Thx for the fast replay this is my
Firewall–>Filter

chain=forward protocol=tcp dst-port=135 action=drop
chain=input protocol=tcp dst-port=23 action=drop
;;; drop invalid connections
chain=forward protocol=tcp connection-state=invalid action=drop
;;; allow already established connections
chain=forward connection-state=established action=accept
;;; allow related connections
chain=forward connection-state=related action=accept
chain=forward src-address=0.0.0.0/8 action=drop
chain=forward dst-address=0.0.0.0/8 action=drop
chain=forward src-address=127.0.0.0/8 action=drop
chain=forward dst-address=127.0.0.0/8 action=drop
chain=forward src-address=224.0.0.0/3 action=drop
chain=forward protocol=udp action=jump jump-target=udp
chain=forward protocol=icmp action=jump jump-target=icmp
;;; deny TFTP
chain=tcp protocol=tcp dst-port=69 action=drop
;;; deny RPC portmapper
chain=tcp protocol=tcp dst-port=111 action=drop
;;; deny RPC portmapper
chain=tcp protocol=tcp dst-port=135 action=drop
;;; deny NBT
chain=tcp protocol=tcp dst-port=137-139 action=drop
;;; deny cifs
chain=tcp protocol=tcp dst-port=445 action=drop
;;; deny NFS
chain=tcp protocol=tcp dst-port=2049 action=drop
;;; deny NetBus
chain=tcp protocol=tcp dst-port=12345-12346 action=drop
;;; deny NetBus
chain=tcp protocol=tcp dst-port=20034 action=drop
;;; deny BackOriffice
chain=tcp protocol=tcp dst-port=3133 action=drop
;;; deny DHCP
chain=tcp protocol=tcp dst-port=67-68 action=drop
;;; deny TFTP
chain=udp protocol=udp dst-port=69 action=drop
;;; deny PRC portmapper
chain=udp protocol=udp dst-port=111 action=drop
;;; deny PRC portmapper
chain=udp protocol=udp dst-port=135 action=drop
;;; deny NBT
chain=udp protocol=udp dst-port=137-139 action=drop
;;; deny NFS
chain=udp protocol=udp dst-port=2049 action=drop
;;; deny BackOriffice
chain=udp protocol=udp dst-port=3133 action=drop
;;; drop invalid connections
chain=icmp protocol=icmp icmp-options=0:0 action=accept
;;; allow established connections
chain=icmp protocol=icmp icmp-options=3:0 action=accept
;;; allow already established connections
chain=icmp protocol=icmp icmp-options=3:1 action=accept
;;; allow source quench
chain=icmp protocol=icmp icmp-options=4:0 action=accep
;;; allow echo request
chain=icmp protocol=icmp icmp-options=8:0 action=accept
;;; allow time exceed
chain=icmp protocol=icmp icmp-options=11:0 action=accept
;;; allow parameter bad
chain=icmp protocol=icmp icmp-options=12:0 action=accept
;;; Drop Blaster Worm.
chain=forward protocol=udp dst-port=445 action=drop
;;; …
chain=forward protocol=tcp dst-port=593 action=drop
;;; …
chain=forward protocol=tcp dst-port=1024-1030 action=drop
;;; Drop MyDoom
chain=forward protocol=tcp dst-port=1080 action=drop
;;; …
chain=forward protocol=tcp dst-port=1214 action=drop
;;; ndm requester
chain=forward protocol=tcp dst-port=1363 action=drop
;;; ndm server
chain=forward protocol=tcp dst-port=1364 action=drop
;;; screen cast
chain=forward protocol=tcp dst-port=1368 action=drop
;;; hromgrafx
chain=forward protocol=tcp dst-port=1373 action=drop
;;; cichlid
chain=forward protocol=tcp dst-port=1377 action=drop
;;; Worm
chain=forward protocol=tcp dst-port=1433-1434 action=drop
;;; Bagle Virus
chain=forward protocol=tcp dst-port=2745 action=drop
;;; Drop Dumaru.Y
chain=forward protocol=tcp dst-port=2283 action=drop
;;; Drop Beagle
chain=forward protocol=tcp dst-port=2535 action=drop
;;; Drop MyDoom
chain=forward protocol=tcp dst-port=3127-3128 action=drop
;;; Drop Backdoor OptixPro
chain=forward protocol=tcp dst-port=3410 action=drop
;;; Worm
chain=forward protocol=tcp dst-port=4444 action=drop
;;; Worm
chain=forward protocol=udp dst-port=4444 action=drop
;;; Drop Sasser
chain=forward protocol=tcp dst-port=5554 action=drop
;;; Drop Beagle.B
chain=forward protocol=tcp dst-port=8866 action=drop
;;; Drop Dumaru.Y
chain=forward protocol=tcp dst-port=10000 action=drop
;;; Drop MyDoom.B
chain=forward protocol=tcp dst-port=10080 action=drop
;;; Drop NetBus
chain=forward protocol=tcp dst-port=12345 action=drop
;;; Drop Kuang2
chain=forward protocol=tcp dst-port=17300 action=drop
;;; Drop SubSeven
chain=forward protocol=tcp dst-port=27374 action=drop

Deluxe · February 16, 2007, 9:39pm

Ok I did it the problem was I put protection for web proxy i turnet it of and it wark Thx any way