| 1 |
On Sun, 19 Apr 2009 14:02:38 -0400 |
| 2 |
"D.H." <derrickdb1@×××××××.net> wrote: |
| 3 |
|
| 4 |
> I'd like to set up an ftp proxy on my home firewall so I can scan for |
| 5 |
> viruses using clamd. I found frox. Which looks like it will do what |
| 6 |
> I want. I've pretty much used the default install which makes frox |
| 7 |
> listen on 127.0.0.1:2121. But, I'm not sure the firewall rules are |
| 8 |
> working right. |
| 9 |
> |
| 10 |
> eth1 is the internal interface |
| 11 |
> |
| 12 |
> iptables -A FORWARD -p tcp -i eth1 --destination-port 2121 \ |
| 13 |
> --destination 127.0.0.1 -j ACCEPT |
| 14 |
> |
| 15 |
> iptables -t nat -A PREROUTING -p tcp -i eth1 --destination-port 21 \ |
| 16 |
> -j DNAT --to-destination 127.0.0.1:2121 |
| 17 |
> |
| 18 |
> Either that, or frox itself is having issues. Any ideas? While I'm |
| 19 |
> at it, is there an alternative to frox? |
| 20 |
> |
| 21 |
> |
| 22 |
> |
| 23 |
|
| 24 |
Hi, |
| 25 |
|
| 26 |
I believe this schema won't work because "DNAT" target rewrites the |
| 27 |
destination address in the IP packet headers. Therefore what frox |
| 28 |
receives is a sequence of packets with destination set to its own |
| 29 |
address. Try using the "REDIRECT" target which is supposed to rewrite |
| 30 |
the port fields only. |
| 31 |
|
| 32 |
|
| 33 |
-- |
| 34 |
Best regards, |
| 35 |
Daniel |
Archives