Re: Help! FTP DNAT from internet to intranet server not working

[matthew_buckland@xxxxxxxxxxxx]

The iptables stuff looks ok to me. Could it be something silly like 
having /etc/hosts.allow not allowing connections from external ip 
addresses on your ftp server?

Netfilter List wrote:
> hi,
>
> we got a strange problem while trying to access our internal ftp server
> from "outside" with iptables DNAT feature.
> it simply doesnt work.
>
> linux kernel is 2.4.29, iptables 1.3.1
>
> this is the COMPLETE firewall script.
> --------------------------------------
> #!/bin/sh
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> modprobe ip_conntrack_ftp
> modprobe ip_nat_ftp
>
> iptables -t nat -F
> iptables -P INPUT ACCEPT
> iptables -F INPUT
> iptables -P OUTPUT ACCEPT
> iptables -F OUTPUT
> iptables -P FORWARD ACCEPT
> iptables -F FORWARD
>
> iptables -t nat -A PREROUTING -p tcp --destination-port 20:21 -i eth1 -j 
> DNAT --to-destination 192.168.0.1
> --------------------------------------
>
> lsmod after loading firewall script:
> ------------------------------------
> Module                  Size  Used by    Not tainted
> ipt_MASQUERADE          1464   0  (autoclean)
> ipt_state                536   0  (autoclean)
> ip_nat_ftp              2736   0  (unused)
> iptable_nat            18488   2  [ipt_MASQUERADE ip_nat_ftp]
> ip_conntrack_ftp        3856   1
> ip_conntrack           20844   1  [ipt_MASQUERADE ipt_state ip_nat_ftp 
> iptable_nat ip_conntrack_ftp]
> ------------------------------------
>
> 192.168.0.1 is up and running (IIS 6.0), and ftp works without problems.
> eth1 is the external interface. we installed for test purposes proftpd 
> on an other machine
> (old redhat box with no firewall) -> same problem.
> so we think the ftp server cant be the point...
>
> when we try to acces the ftp server from outside, the ftp client gets a 
> timeout.
> there is no login, no error...nothing.
>
> tcpdump on eth1 (external if a.b.c.d) is:
> 16:17:55.897243 IP [ftp client ip].3962 > a.b.c.d.ftp: S 
> 4200552376:4200552376(0) win 64240 <mss 1460,nop,nop,sackOK>
> 16:17:58.815244 IP [ftp client ip].3962 > a.b.c.d.ftp: S 
> 4200552376:4200552376(0) win 64240 <mss 1460,nop,nop,sackOK>
> 16:18:04.820680 IP [ftp client ip].3962 > a.b.c.d.ftp: S 
> 4200552376:4200552376(0) win 64240 <mss 1460,nop,nop,sackOK>
> tcpdump on eth0 (internal if 192.168.0.100) is:
> 16:17:55.897280 IP [ftp client ip].3962 > localhost.ftp: S 
> 4200552376:4200552376(0) win 64240 <mss 1460,nop,nop,sackOK>
> 16:17:58.815258 IP [ftp client ip].3962 > localhost.ftp: S 
> 4200552376:4200552376(0) win 64240 <mss 1460,nop,nop,sackOK>
> 16:18:04.820694 IP [ftp client ip].3962 > localhost.ftp: S 
> 4200552376:4200552376(0) win 64240 <mss 1460,nop,nop,sackOK>
>
> when we insert the logging rule:
> iptables -t nat -A PREROUTING -p tcp --destination-port 20:21 -i eth1 -j 
> LOG --log-level 1 --log-prefix "DNAT FTP: "
> we get the following logfile entry:
> Mar 15 14:38:37 firewall kernel: DNAT FTP: IN=eth1 OUT= 
> MAC=00:04:75:cb:c4:a1:00:07:0e:88:af:20:08:00 SRC=[ftp client ip] 
> DST=a.b.c.d LEN=48  TOS=0x00 PREC=0x00 TTL=117 ID=17336 DF PROTO=TCP 
> SPT=2031 DPT=21 WINDOW=64240 RES=0x00 SYN URGP=0
>
> does anyone know, whats going on here?
> am i missing something?
>
> any help would be great....we ran out of ideas :(
>
> kind regards

--
Matthew Buckland, Network / Support Analyst
Wordbank Limited
33 Charlotte Street, London W1T 1RR
Direct line: +44 (0) 20 7903 8847
Fax: +44 (0) 20 7903 8888
<http://www.wordbank.com/>