ftp server + masquerading

[miyas]

Hi,
i have a winbox with a ftp server behind a linux firewall (made with iptables) and i can't connect to my ftp server from internet.
I can connect from linux using the internal ip, so the pb doesn't come from the server.

I would appreciate any help or advice.
Thanks

Maxime

 

[ifincham]

Hi,

This is tricky because of the two sessions involved - i.e client to server port 21 and server port 20 back to client. I think you do something like this :

/sbin/iptables -t nat -P PREROUTING DROP
/sbin/iptables -t nat -A PREROUTING -i eth1 -dport 21 -j DNAT --to 172.16.16.2
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i eth0 -o eth1 -j ACCEPT

(Where eth0 is lan, eth1 is internet, 172.16.16.2 is ftp box.) You would also need to have loaded the 'ip_nat_ftp' and 'ip_conntrack_ftp' modules first, i.e. via modprobe or insmod.

If the ftp server has a real public IP address and packets arrive at the firewall with that same address, then you would not us e the nat command above. Rather you would just have a forward command like :

/sbin/iptables -A FORWARD -i eth1 -dport 21 -j ACCEPT

You would then just use routing commands if the ftp box address was not already in the routing table.

Hope this is of some help....

 

[pmkincaid]

One other note -- ensure you are using the most up-to-date kernel and iptables, there is a security hole in older versions of iptables regarding FTP and the RELATED keyword. Take a look at

http://netfilter.samba.org/security-fix/index.html

for more info on the hole.

Hope this helps,
Paul