I should have explained better. I know that ftp uses two ports with a different setup for active and passive mode. That is not the problem. Right now I am only DNATing the control port and my INPUT,OUTPUT and FORWARD chains have a default policy of ACCEPT. The rules I posted are the _only_ rules I have for my firewall. The problem is that when I telnet to my $EXTIP port 21 I should get a welcome message and be able to send some commands but from logging all traffic to and from my internal ftp server I can see the following traffic:
Client->FTP: SYN
FTP->Client: SYN ACK
Client->FTP: ACK
FTP->Client: ACK PSH
FTP->Client: ACK PSH
FTP->Client: ACK PSH
FTP->Client: ACK PSH
Client->FTP: RST
after this short exchange the connection is terminated. If i telnet to $EXTIP port 80 and do a 'GET /' everything works fine. I have tried proftpd, in.ftpd, wu-ftpd and they all give the same result so it's not a problem with the ftp server software.
Gustav Petersson
Mark E. Donaldson wrote:
The FTP protocol works completely differently than http, particularly in the way connections are negotiated and accepted. You must also account for both active and passive modes. I'm assuming the rules you have here are for new connections to your FTP server? What are your FTP rules for the FORWARD chain?
-----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Gustav Petersson Sent: Saturday, February 28, 2004 12:28 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: how do i forward ftp from my firewall to an internal server?
Like the subject line says.. how do I do it?
I have port http traffic forwarded to the same server but when i use the same rule with only the port(s) changed for ftp traffic my ftp server opens the connection but immediately closes it again. I have tried running both the standard in.ftpd and proftpd. Any help would be greatly appreciated.
Gustav Petersson
I am running debian 3.0 with kernel 2.4.24 and I have the following modules loaded:
ipt_LOG ipt_state iptable_filter ip_nat_ftp ip_conntrack_ftp iptable_nat ip_conntrack ip_tables
Here is my firewall config: #!/bin/sh
EXT_IP=1.2.3.4 INT_IP=192.168.x.x
modprobe iptable_nat modprobe ip_conntrack_ftp modprobe ip_nat_ftp
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT ACCEPT iptables -F INPUT iptables -P OUTPUT ACCEPT iptables -F OUTPUT iptables -P FORWARD ACCEPT iptables -F FORWARD iptables -t nat -F
# NAT iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 213.88.181.68
# Forward port 80 to internal server iptables -A PREROUTING -t nat -p tcp -d $EXT_IP --dport 80 \ -j DNAT --to $INT_IP:80
# Forward ports 20 and 21 to internal server iptables -A PREROUTING -t nat -p tcp -d $EXT_IP --dport 20 \ -j DNAT --to $INT_IP:20
iptables -A PREROUTING -t nat -p tcp -d $EXT_IP --dport 21 \ -j DNAT --to $INT_IP:21
