From: ago at hollo.idg.hu <ago at hollo.idg.hu>
To: ilug at linux.ie <ilug at linux.ie>
Date: 05 June 2000 20:50
Subject: [ILUG] port forwarding
>>Is there a step-by-step guide to the $SUBJECT ?
IPchains HOWTO at www.linuxdoc.org
>When a user starts an ftp connection it sends
>packets to the port 21. But in some cases the files (packets) arrive at
>some other unusual ports (eg. 5000 and so on). And if I deny the uses of
>other ports than 20,21,25,110,443,80,22 they will never arrive.
If you start an ftp session, it goes out through one of your "unpriviledged"
ports (ie those >1024) eg. port 5000 to port 21 of the target machine. The
responses come back to your port 5000. Any attempt to connect to *your* ftp
server will be coming *in* to port 21 from some high numbered port. What
you need is a pair of rules that
1. allow connections from your high ports to a remote port 21
This will allow you to make FTP connections
2. deny connections from any port to your port 21
This will prevent any remote machine from making FTP connections to your
The same principle applies to other services that use the ports you list.
Your outgoing connections are from *your* high ports to these ports on the
remote machine. Any connections coming *in* to your listed ports are
attempts to connect to *your* services. Unless you want to run a web server
(which you do), an FTP server (which you probably don't), a telnet service
(again you probably don't), you should deny access from outside to these
have a look at www.linux-firewall-tools.org for more info
General Forecast Division
ph +353 1 8064255
fax +353 1 8064275
conor.daly at met.ie
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!