Hallo!
Verwende z.Z. Squid als tranparenten http-proxy, ich möchte nun allerdings auch nen ftp-proxy aufsetzen. Gibt es da möglichkeiten, wenn ja welche ?

Squid ist auch ein FTP Proxy, allerdings nur wenn du ihn als FTP Proxy im Browser einstellst. Falls du einen echten brauchst schau mal auf freshmeat.net

Grüsse, Stefan

danke für deine schnelle antwort, aber wie aktiviere ich denn die ftp-proxy funktion ???

Die sollte schon aktiviert sein.. Nur im Browser den Rechner als FTP-proxy einstellen und die Firewall öffnen..

Grüsse, Stefan

ich hab das ganze bisher als tranparenten Proxy arbeiten lassen, wie sieht das ganze denn dann bei FTP aus. Muss ich dann nur den Port 21 auf dem GW an den Port 3128 (Proxy) des Proxy-Servers weiterleiten lassen ? Oder läuft die Annahme von ftp-anfragen bei Squid unter nem anderen Port ?

Hmm normalerweise "weiss" der Browser ja dass er mit einem Proxy spricht, also sendet er die FTP-Daten per http Protokoll zum normalen Proxy port. Ob es mit redirecten Ports funktioniert kann ich nicht glauben, aber ausprobieren kannst du es ja (ist aber extrem unwarscheinlich dass das geht).
Für nen transparenten ftp-proxy musst du schon einen echten ftp-proxy verwenden, aber wofür denn überhaupt einen Proxy, lad einfach das ip-masq-ftp Modul und schon gehts.

Grüsse, Stefan

reicht das wenn ich einfach modprobe_ip-masq-ftp mach oder brauch ich noch nen anderen Befehl für das ordnungsgemäße laden.

Hmm keine Anhung wie's beim 2.4-Kernel ist, aber beim 2.2.18 gibt es das Modul "ip_masq_ftp", das du mit

modprobe ip_masq_ftp

laden kannst wenn es beim Kernel dabei ist.

Grüsse, Stefan

wie kann ich herauskriegne ob das Modul dabei ist. Ich habe mir etz die SuSE Proxy-Suite installiert und konfiguriert seltsamerweise funzt die Redirection von Port 21 nicht. Für die Redirection von Port 80 auf 3128 (Squid) klappt das ganze. Wird eine FTP-Siete villeicht beim Gateway doch über einen anderen Port angefordert ?

Jep, bei aktiven FTP wird noch der port 20 als Datenport verwendet.

Grüsse, Stefan

also ich hab den port 20 21 des gateway rechners auf den port auf dem der ftp-proxy läuft weitergeleitet (3111). Scheint zu funzen. Weil der ftp-zugriff geht. Wie sehe ich, ob der denn jetzt wirklich eingreift oder ob die redirection villeicht noch net gescheit geht und der ftp-zugriff immer noch direkt weitergeleitet wird ohne proxy dazwischen.

- Wenn du bei
iptables -vL
machst und dabei den Paketzähler der REDIRECT-Regel ansiehst während du ein paar Zugriffe machst

- beim squid in der access.log die Zugriffe geloggt bekommst.

Grüsse, Stefan

hm hab leider noch nen sytax-fehler in der redirect regel gefunden und diesen jetzt behoben allerdings scheint der ftp-proxy (SuSE Proxy Suite) noch nicht zu funktionieren, da ich nun keinen ftp-zugriff mehr von den clients aus habe. Kann man den squid ftp-proxy auch transparent verwenden ? Du sagtest vorhin das ginge nicht. Hm scheint wohl an meiner /etc/proxy-suite/ftp-proxy.conf datei zu liegen. Aber ich kann leider keinen Fehler entdecken.

>Kann man den squid ftp-proxy auch transparent verwenden?
Nein ich denke nicht da es ein grosser Unterschied ist ob ein Browser weiss dass er mit einem Proxy spricht oder nicht. Bei einem transparenten Proxy schreibst du ja die Header der Requests um ("httpd_accel_host" und "httpd_accel_uses_host_header on" in der squid.conf usw..). Für FTP hab ich aber solche Regeln nicht gefunden. Ausserdem frägt ein FTP-Client auch per FTP an, ein Browser über den squid mit HTTP.

Grüsse, Stefan

aha und nu ? Wie krieg ich etz überhaupt noch nen ftp-proxy zum laufen ? Kannst du mit dieser conf-file was anfangen ? Wenn nicht, auch net schlimm.


################################################## ###################
#
# $Id: ftp-proxy.conf.sample,v 1.3 1999/09/24 06:39:43 wiegand Exp $
#
# Sample FTP Proxy Configuration File
#
# For more information, see ftp-proxy.conf(5) manual page.
#
# The general format is "Keyword Value".
#
# Any white space at the beginning or end of a line and after
# the Keyword is ignored. Lines can be continued with '\'.
# Case is *NOT* sensitive, so "user" is "User" is "USER".
#
# Several variables can also be assigned to a client's user name.
# User specific sections are introduced by a '[username]' line.
# The variables are: TimeOut, ValidCommands, SameAddress,
# ActiveMinDataPort, ActiveMaxDataPort,
# PassiveMinDataPort, PassiveMaxDataPort,
# DestinationAddress, DestinationPort,
# DestinationMinPort, DestinationMaxPort,
# DestinationTransferMode
# These variables can also be obtained from an LDAP server, in
# which case the values from this file are not evaluated any
# more.
#
################################################## ###################
#
# The start of the file is implicitly the [-Global-] section.
#

[-Global-]

# Enable this flag if you want to use a random port in
# the specified range with PassiveMinDataPort/MaxDataPort,
# DestinationMinPort/MaxPort, ActiveMinPort/MaxDataPort
# instead of incrementing the port number.
#
SockBindRand yes

# The following entries select a port range for client DTP
# ports in active mode, i.e. when the client sends a PORT
# command. The default is port 20 as per RFC 959, if the
# proxy is running as root (user ID 0) or a random port.
#
#ActiveMinDataPort 40000
#ActiveMaxDataPort 40999

# Defines the character to use as separator between user
# and host[:port] in the target setting of AllowMagicUser
# Default is the '@' character. This allows you to use
# E-Mail addresses as usernames for login to the ftp server
# (i.e. me@mydomain%ftp.server:21 if you set it to %).
#
UseMagicChar @

# The follwing flag is especially useful for outbound FTP
# traffic. It allows to put some "magic" in the USER name.
# If set, it enables the USER name to contain the target
# server in the form "user[@host[:port]]" and overrides
# the DestinationAddress (and DestinationPort) below.
#
AllowMagicUser yes

# The follwing setting allows you to configure a so called
# transparent proxy for outgoing ftp. To get it working you
# also have to redirect client requests on a gateway or
# firewall host (i.e. via ipchains) to the ftp-proxy.
# You can combine this with the AllowMagicUser flag.
#
AllowTransProxy yes

# This message prevents any login if a file with the given
# name exists. Instead the contents of the file will be sent
# to the client and the connection closed. Lines are prefixed
# with "421-". If no such file exists, the mechanism is not
# triggered and DenyString (s.b.) is ignored altogether.
#
#DenyMessage /etc/proxy-suite/ftp-deny.txt

# If a DenyMessage file exists, the deny mechanism will be
# activated in any case. If a DenyString exists, it will be
# sent (with escape sequences) as the last line (with a 421
# reply code), else the standard message
# "Service not available" will be displayed.
#
DenyString Service out of order

# Where to redirect incoming FTP traffic. This destination
# will be used if a client has not set its own target.
# WARNING: ftp-proxy will refuse to run if this directive
# is not set.
#
DestinationAddress server.spiegelhome.tld

# (Local) port range for all connections to the server. The
# default is to let the proxy select any ephemeral port.
#
DestinationMinPort 42900
DestinationMaxPort 42999

# This is the port corresponding to DestinationAddress. It
# defaults to 21, the standard FTP port.
#
DestinationPort 21

# Specify the FTP transfer mode to be used from the proxy to
# the server. TransferMode can be active, passive, or client.
# The default is "client" which means to use the same as the
# client.
#
DestinationTransferMode client
# DestinationTransferMode passive
# DestinationTransferMode active

# If given, change GID to give up root privileges. In POSIX
# environments this changes all group ID's.
#
#Group nogroup
# Group nobody

# Access information based upon users can also be obtained
# dynamically from an LDAP directory. This works only if the
# program was compiled with LDAP support. Both the University
# of Michigan and the Netscape LDAP API are supported.
#
# LDAPServer ldap.domain.tld[:port]

# When accessing the LDAP directory, a search base can be
# handed to the search functions. We strongly recommend to
# do so. This is the "root" of the relevant search tree.
#
# LDAPBaseDN dc=domain,dc=tld

#
# Use distinguished name to (simple) bind to the directory
# service. If not set, an annonymous bind is used.
#
# LDAPBindDN uid=ftp-proxy,dc=domain,dc=tld

#
# Use credential (password) to bind to the directory service
# using distinguished name given with LDAPBindDN. If not set,
# an annonymous bind is used.
#
# LDAPBindPW aPassword

# The next thing to decide when using LDAP is the attribute
# used as the main identificator. Some administrators will
# use the CN (Common Name) attribute, and this is also the
# default, but it can be any legal identifier.
#
# LDAPIdentifier LoginName

# Additionally, an LDAP ObjectClass should be defined for
# the FTP User(s). This will be especially useful if the
# user entries are located inside a mixed LDAP hierarchy.
# If an ObjectClass is given, the search is executed as:
# "(&(ObjectClass=<class>)(CN=<username>))", else it will
# just be based upon CN (the Common Name) or whatever has
# been assigned to LDAPIdentifier above.
#
# LDAPObjectClass FTPProxyUser

# Set to listen on a specific interface (0.0.0.0 means all
# and is also the default). Address can be given as dotted
# decimal IP address or DNS host name.
#
Listen 192.168.1.1

# Determine where to send logging information. If the value
# starts with a '/' it is assumed to be a file. If it starts
# with a '|' it is assumed to be a program which will be
# popen()-ed. Anything else is assumed to be a facility for
# syslog(). See ftp-proxy.conf(5) and the "SYSLOG" file for
# severity handling.
#
# LogDestination daemon
LogDestination /var/log/ftp-proxy.log
# LogDestination |/usr/bin/rotatelogs /var/log/ftp-proxy.log

# Maximum number of concurrent clients if running as daemon.
MaxClients 30

# This message (or rather the contents of a file with this
# name) will be issued when MaxClients is exceeded, each
# line prefixed with "421-". If no such file exists, only
# the MaxClientsString below will be displayed.
#
# MaxClientsMessage /etc/proxy-suite/ftp-maxclients.txt

# This string (with a default of "Service not available" will
# be displayed, if the configured maximum number of concurrent
# clients has been reached. It is prefixed with '421 '.
MaxClientsString The server is full

# The following entries select a port range for client DTP
# ports in passive mode, i.e. when the client sends a PASV.
# If no port range is given, no bind is performed, in which
# case the proxy lets the machine select an ephemeral port.
#
# PassiveMinDataPort 41000
# PassiveMaxDataPort 41999

# Write an ASCII file with the Program ID if given. Only valid
# if running as daemon, in which case the daemon itself uses it.
#
PidFile /var/run/ftp-proxy.pid

# Port to listen on (for the SERVER-PI). Default is "ftp".
# Can be given as TCP service name or as a plain number.
#
Port 3111

# The following flag specifies the action when a PORT command
# is received while a PASV listening socket is outstanding.
# The RFC is not really clear about the "correct" behaviour,
# but since most existing implementations seem to reset the
# listener, we do the same by default. Nevertheless they all
# may be ... inaccurate.
#
# PortResetsPasv yes

# Shall we allow data connections only from the same host where
# the control connection originated from? Default is yes. If
# you say no here, the proxy is able to take part in so called
# third party server to server transfers.
#
SameAddress yes

# If given, chroot() to this directory after initializing. Only
# valid for inetd mode or forked clients. The daemon will stay.
#
# ServerRoot /var/ftp-proxy/rundir

# Determine whether to run as daemon or in inetd mode. This can
# be overridden by -d/-i command line switch. Default is inetd.
#
# ServerType inetd
ServerType standalone

# Shall we use the TCP Wrapper Library when running as daemon?
# "on", "yes", "true" or a non-zero number means yes, anything
# else no. Default no. Only applicable when running as daemon.
# Note that TCP Wrapper support must be compiled in for this to
# work.
#
TCPWrapper yes

# If a client has no activity for this many seconds, it is
# regarded to be dead and the connection will be terminated.
# Default is 900 seconds, i.e. 15 minutes.
#
# TimeOut 900

# If the proxy server needs to advertise itself (in outgoing
# responses like answers to PASV commands) with a different
# address than it actually has, the following option can be
# used. Relevant e.g. when using a NAT device in the path.
#
TranslatedAddress 0.0.0.0

# If given, change UID to give up root privileges. In POSIX
# environments this changes all user ID's.
#
# User nobody
#User ftpproxy

# List of FTP commands that will be allowed from a client.
# All commands not on this list will be rejected. If no list
# exists, then all commands will be allowed.
# Each command can be followed by an optional equals sign
# and regular expression (POSIX 1003.2) to restrict legal
# argument(s) syntax. In order to avoid confusing the
# configuration reading functions, the expression is "pre-
# processed." This means that a sequence like "%20" will be
# replaced by a space and "%5c" or "%5C" by a backslash
# before being compiled. In fact, this looks a bit like the
# HTML way of doing things. The percent sign itself is
# represented by "%25" of course. The pattern is interpreted
# as a POSIX 1003.2 RE (with REG_NEWLINE flag set), and is
# case sensitive. In any case, this works only if compiled
# with regular expression support compiled into the program.
#
# ValidCommands ABOR, PASS, PASV, STOR, USER, \
#
# MODE, QUIT, SYST

# This file will be presented to all clients immediately after
# the connection has been established. Each line is prefixed
# with "220-". The whole message is followed by a standard
# "220 <host> FTP server (<version>) ready" or whatever has
# been substituted with WelcomeString below. Escape sequences
# (like %h for hostname; see ftp-proxy.conf(5)) are active.
#
# WelcomeMessage /etc/proxy-suite/ftp-welcome.txt

# If we wanted to disguise as some known other FTP server we
# could use the following option. It replaces the standard
# "<host> FTP server (<version>) ready" in the initial 220
# message. As with all Messages and Strings, various escape
# sequences are available.
#
# WelcomeString Welcome to %h


################################################## ##########
# $Log: ftp-proxy.conf.sample,v $
# Revision 1.3 1999/09/24 06:39:43 wiegand
# added regular expressions for all commands
# removed character map and length of paths
# added flag to reset PASV on every PORT
# added "magic" user with built-in destination
# added some argument pointer fortification
#
# Revision 1.2 1999/09/17 11:04:02 wiegand
# added path name restriction options
#
# Revision 1.1 1999/09/16 07:53:54 wiegand
# initial checkin
#
################################################## ##########

Ist doch cool..

# The follwing setting allows you to configure a so called
# transparent proxy for outgoing ftp. To get it working you
# also have to redirect client requests on a gateway or
# firewall host (i.e. via ipchains) to the ftp-proxy.
# You can combine this with the AllowMagicUser flag.
#
AllowTransProxy yes

Muss doch gehen wenn du in der PREROUTING-Table die Ports 20 und 21 auf den lokalen Port 20 und 21 redirectest...

Grüsse, Stefan

hm, hab ich auch gedacht klappt aber net. Die Redirection Regel hab ich gesetzt (iptables -L zeigt sie mri auch an) und die Konfiguration des ftp-proxy habe ich nicht verändert. Also verstehe ich nicht warum das nicht klappt.

hier iptables -L:
Chain PREROUTING (policy ACCEPT 1005 packets, 70415 bytes)
pkts bytes target prot opt in out source destination
5 240 REDIRECT tcp -- * * 192.168.0.0/16 0.0.0.0/0 tcp dpt:80 redir ports 3128
0 0 REDIRECT udp -- * * 192.168.0.0/16 0.0.0.0/0 udp dpt:80 redir ports 3128
3 144 REDIRECT tcp -- * * 192.168.0.0/16 0.0.0.0/0 tcp dpt:21 redir ports 21
0 0 REDIRECT udp -- * * 192.168.0.0/16 0.0.0.0/0 udp dpt:20 redir ports 20
0 0 REDIRECT udp -- * * 192.168.0.0/16 0.0.0.0/0 udp dpt:21 redir ports 21
0 0 REDIRECT tcp -- * * 192.168.0.0/16 0.0.0.0/0 tcp dpt:20 redir ports 20
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4000 to:192.168.1.4:4000
0 0 DNAT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4000 to:192.168.1.4:4000
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:6112:6119 to:192.168.1.4:6112-6119
0 0 DNAT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:6112:6119 to:192.168.1.4:6112-6119

habe gerade in den logfiles folgenden Eintrag gefunden:
ftp-child [10498] <04/11-19:13:34> USER-INF connect from 192.168.1.2
ftp-child [10498] <04/11-19:13:34> USER-WRN requested transparent proxy dest 192.168.1.1 is local
ftp-child [10498] <04/11-19:13:34> USER-INF 'USER anonymous' from 192.168.1.2
ftp-child [10498] <04/11-19:13:34> USER-INF reading data for 'anonymous' from cfg-file
ftp-child [10498] <04/11-19:13:34> TECH-ERR Srv-Ctrl: can't connect 192.168.1.1:21 for 192.168.1.2
ftp-child [10499] <04/11-19:13:36> USER-INF connect from 192.168.1.2
ftp-child [10499] <04/11-19:13:36> USER-WRN requested transparent proxy dest 192.168.1.1 is local
ftp-child [10499] <04/11-19:13:36> USER-INF 'USER anonymous' from 192.168.1.2
ftp-child [10499] <04/11-19:13:36> USER-INF reading data for 'anonymous' from cfg-file
ftp-child [10499] <04/11-19:13:36> TECH-ERR Srv-Ctrl: can't connect 192.168.1.1:21 for 192.168.1.2
ftp-child [11259] <04/11-19:14:22> USER-INF connect from 192.168.1.2
ftp-child [11259] <04/11-19:14:22> USER-WRN requested transparent proxy dest 192.168.1.1 is local
ftp-child [11259] <04/11-19:14:22> USER-INF 'USER anonymous' from 192.168.1.2
ftp-child [11259] <04/11-19:14:22> USER-INF reading data for 'anonymous' from cfg-file
ftp-child [11259] <04/11-19:14:22> TECH-ERR Srv-Ctrl: can't connect 192.168.1.1:21 for 192.168.1.2
ftp-child [11260] <04/11-19:14:25> USER-INF connect from 192.168.1.2
ftp-child [11260] <04/11-19:14:25> USER-WRN requested transparent proxy dest 192.168.1.1 is local
ftp-child [11260] <04/11-19:14:25> USER-INF 'USER anonymous' from 192.168.1.2
ftp-child [11260] <04/11-19:14:25> USER-INF reading data for 'anonymous' from cfg-file
ftp-child [11260] <04/11-19:14:25> TECH-ERR Srv-Ctrl: can't connect 192.168.1.1:21 for 192.168.1.2
ftp-child [11261] <04/11-19:14:25> USER-INF connect from 192.168.1.2
ftp-child [11261] <04/11-19:14:25> USER-WRN requested transparent proxy dest 192.168.1.1 is local
ftp-child [11261] <04/11-19:14:25> USER-INF 'USER anonymous' from 192.168.1.2
ftp-child [11261] <04/11-19:14:25> USER-INF reading data for 'anonymous' from cfg-file
ftp-child [11261] <04/11-19:14:25> TECH-ERR Srv-Ctrl: can't connect 192.168.1.1:21 for 192.168.1.2
ftp-child [11262] <04/11-19:14:26> USER-INF connect from 192.168.1.2
ftp-child [11262] <04/11-19:14:26> USER-WRN requested transparent proxy dest 192.168.1.1 is local
ftp-child [11262] <04/11-19:14:26> USER-INF 'USER anonymous' from 192.168.1.2
ftp-child [11262] <04/11-19:14:26> USER-INF reading data for 'anonymous' from cfg-file
ftp-child [11262] <04/11-19:14:26> TECH-ERR Srv-Ctrl: can't connect 192.168.1.1:21 for 192.168.1.2
ftp-child [11263] <04/11-19:14:26> USER-INF connect from 192.168.1.2
ftp-child [11263] <04/11-19:14:26> USER-WRN requested transparent proxy dest 192.168.1.1 is local
ftp-child [11263] <04/11-19:14:26> USER-INF 'USER anonymous' from 192.168.1.2
ftp-child [11263] <04/11-19:14:26> USER-INF reading data for 'anonymous' from cfg-file
ftp-child [11263] <04/11-19:14:26> TECH-ERR Srv-Ctrl: can't connect 192.168.1.1:21 for 192.168.1.2
ftp-child [11264] <04/11-19:14:26> USER-INF connect from 192.168.1.2
ftp-child [11264] <04/11-19:14:26> USER-WRN requested transparent proxy dest 192.168.1.1 is local
ftp-child [11264] <04/11-19:14:26> USER-INF 'USER anonymous' from 192.168.1.2
ftp-child [11264] <04/11-19:14:26> USER-INF reading data for 'anonymous' from cfg-file
ftp-child [11264] <04/11-19:14:26> TECH-ERR Srv-Ctrl: can't connect 192.168.1.1:21 for 192.168.1.2

Hmm ich glaub dieser FTP-Proxy mag es nicht wenn du ihm die FTP-Pakete lokal redirectest..

Grüsse, Stefan

hm, also gut zur Zeit siehst so aus. An 192.168.1.0/24 hängen meine clients (proxy-server=192.168.1.1). Der Rechner mit dem Proxy-Server hat zwei Netzwerkkarten (192.168.1.1, und 192.168.100.2). Der Proxy lauscht auf 192.168.1.1. Ich habe nun eingestellt dass er alle Anfragen an mein zweites Netzwerkinterface weiterleiten soll (192.168.100.2). Dieses nämlich ist mit einem weiteren Router verbunden und letztendlich auch mit dem Internet. Allerdings leitet der ftp-proxy immer seine Anfragen auch auf den Port 21 weiter (nein was für ein Zufall) und daher wird die weiterleitung an 192.168.100.2:21 wieder von der Firewall aufgegriffen und den Proxy redirectet, da ich ja eingestellt hatte das alle anfragen aus dem 192.168.1.0/24 netz an den Proxy-Port 3111 weitergeleitet werden sollen. Das ist also ein endloser Kreis. Wie kann ich der Firewall nun sagen dass sie alle Anfragen auf meinen Rechner am Port 21 auf den lokalen Port 21 weiterleiten soll nur eben die nicht, die an 192.168.100.2 gerichtet sind. Ich hoffe dass du du verstehst was ich meine auch wenns ein bissel blöd ausgedrückt ist, und mir helfen kannst.

Du hast doch iptables oder?
Damit kannst du doch auch die Regeln so verändern dass er die ftp-Pakete vom Proxy-Server nicht wieder zurückschickt. Am besten du zeigst mir mal die REDIRECT-Regel von der Firewall, u.U. musst du nur ein

! --source 192.168.100.2

einfügen.

Grüsse, Stefan

hier nochmal mein PREROUTING chain:
Chain PREROUTING (policy ACCEPT 2454 packets, 157K bytes)
pkts bytes target prot opt in out source destination
3 144 REDIRECT tcp -- * * 192.168.0.0/16 0.0.0.0/0 tcp dpt:80 redir ports 3128
0 0 REDIRECT udp -- * * 192.168.0.0/16 0.0.0.0/0 udp dpt:80 redir ports 3128
0 0 REDIRECT tcp -- * * 192.168.0.0/16 0.0.0.0/0 tcp dpt:21 redir ports 3111
0 0 REDIRECT tcp -- * * 192.168.0.0/16 0.0.0.0/0 tcp dpt:20 redir ports 3111
0 0 REDIRECT udp -- * * 192.168.0.0/16 0.0.0.0/0 udp dpt:21 redir ports 3111
0 0 REDIRECT udp -- * * 192.168.0.0/16 0.0.0.0/0 udp dpt:20 redir ports 3111
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4000 to:192.168.1.4:4000
0 0 DNAT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4000 to:192.168.1.4:4000
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:6112:6119 to:192.168.1.4:6112-6119
0 0 DNAT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:6112:6119 to:192.168.1.4:6112-6119


Sorry war falsche Tabelle, das ist die richtige

Nein, ich brauch nicht die Tabelle sonder das script in dem die iptables-Aufrufe drinstehen.

Grüsse, Stefan

aso das ganze wird von der SuSEFirewall2 generiert. Hab also noch kein eigenes IPTABLES Skript, aber ich könnte das Firewall Skript mit den neuen Redirect Befehln erweitern.