NAT and FTP 1

[Deepgloat]

I am running vsftpd on my Red Hat Linux 7.3 server and I believe I'm running into a problem with the NAT gateway/firewall that sits between my server and the Internet.

I am pretty sure I am not having a setup issue with vsftpd; I can connect *locally* (i.e., inside the firewall FTP-ing to localhost), but no joy from the Internet: passive mode times out and PORT commands wind up with a "425-Failed to establish connection" error.

From what I've gleaned searching through the manuals, since the gateway uses NAT, I believe that I need to enable IP forwarding on the Red Hat server, but I'm really getting stuck on how to accomplish this. The online manuals and the book I'm reading (Kabir's Red Hat Linux 7 Server) are either incomprehensible or don't go far enough in explaining the nuances of IP forwarding with NAT.

Help?!

 

[smah]

You need to enable port forwarding on the NAT gateway/firewall - whatever that is. What you're reading about in the RH manual is if you're using RH as your firewall/gateway - is that the case?

 

[pollux0]

it took me a while to figure out iptables. I am guessing you have a public ip address you will use that will forward to a private ip address inside your firewall. These three lines should work. Eth0 is the external interface. replace the 37.135.42.8 with your public ftp ip address. replace 10.0.0.5 with your internal ftp ip address

iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A PREROUTING -t nat -p tcp -d 37.135.42.8 --dport 21 -j DNAT --to 10.0.0.5:21

iptables -A FORWARD -p tcp -d 10.0.0.5 --dport 21 -j ACCEPT

For some reason it took about an hour for the forwarding to start working. I dont know why. You can try this and wait a while and see if it starts working

 

[thedaver]

What is your firewall? Proprietary? Linux?
Most IPtables based firewalls require that you also
'insmod' the ipt_conntrack and ipt_ftp modules to support the flaky nature of FTP



"Surfinbox Shares" - A fundraising program that builds revenue from dialup Internet users.

http://www.surfinbox.com/shares/

 

[Deepgloat]

No, I am not running RH 7.3 as a gateway/firewall. I have a hardware gateway/router that also has a built-in firewall, and the gateway is configured to forward incoming traffic on ports 20, 21 and 65100-65500 to the SOHO server (which is on my local network at 192.168.0.4). Incoming isn't the problem--I can establish a connection from the outside; it's when vsftpd tries to open a passive or active data connection that packets seem to be going splat against the inside of the firewall.

 

[Deepgloat]

bump

By the way, I tried to put the SOHO server in the gateway's DMZ. Didn't work.

I'm beginning to clue in that you get what you pay for, and it's time to either pony up the $$$ for Red Hat support or abandon Linux altogether for a friendlier server O/S like Mac OS X.

 

[cheelsj]

Pollux0, I'm same scenario, Internet --> Linux NAT --> local ftp w2k server.

recently trying to configure FTP but failed. And now trying your commands, ftp from win PC located at Internet, but failed, err: "ftp: connect: unknown error number".

I managed to ftp from Linux to w2k. But failed when I ftp out side linux (even in between internet and linux). Am I missed out something? do I really need ip_conntract_ftp in order to make ftp works? or it is just a monitor tool?

If you need to know more infrastructure of my network, please let me know.

 

[sabbathunter]

i am having a problem too reaching my FTP/linux redhat server thru the internet. i am able to go direct.

i tried the above solution and this is the error i am getting now.

Windows cannot access this folder. make sure you typed the file name correctly and that you have permission to access this folder

Details.
the operation timed out.

any solutions

i am going from windows XP to linux redhat 9.0.

david

 

[zeland]

I've got a RH8 Firewall/Router locked down to only allow traffic from ports 21, 25, 53, 80 & 443 to pass it. I faced the same problem you guys are facing. When I ftp in via the internet, the connection is established via port 21, but the internal ftp server cannot conenct back to me because it tries to use ports like 1645, 1856, 32479 etc that are not allowed through. In the end, I had to allow my ftp server full access outwards (not inwards) to the internet on all ports.

 

[sabbathunter]

what do i have to do to allow my ftp server full access outwards to the internet on all ports?

david

 

[zeland]

Can't recall the actual setting as I myself am quite new to IPTABLES but I think it goes something like this:

IPTABLES -A FORWARD -i eth0 -p tcp -s [w.x.y.z] -o eth1 -j ALLOW

means: forward any tcp/ip traffic from server [w.x.y.z] from internal (eth0) to external (eth1) on all ports.

Will let you know the exact command when I get back to the office on Monday if this is not right.

 

[sacoder]

I was having the same problem of being able to connect locally to my FTP server, but not through the internet. I finally tracked the problem down to my D-Link router. It turns out that it only accepts passive FTP connections (as do most, I'm told). I did a little poking around at Microsoft's and D-Link's sites and verifed this. Microsoft has a very good Knowledge Base article along with a solution. Here's the link:

http://support.microsoft.com/?kbid=323446

Basically all it involves is:

1. Start Internet Explorer.
2. On the Tools menu, click Internet Options.
3. Click the Advanced tab.
4. Under Browsing, click to clear the Enable folder view for FTP sites check box.
5. Click to select the Use Passive FTP (for firewall and DSL modem compatibility) check box.
6. Click OK.

I skipped step 4, since I like the folder view. It still works fine with it checked...

Hope this helps.

Larry