I did not change any proftpd settings , they are the default installation. I have to use active connection The suggested line " iptables -t nat -A PREROUTING -p tcp --dport 20:21 -j DNAT --to-destination 10.10.203.10" made no difference. I started the proftpd in the foreground with debug output, but there is no output when I try to connect via 4.9.59 system, the client just times-out. With the 3.5.4 system I can see the connection coming in and responses to "ls" command in my ftp client. Does it have something to do with conntrack ? > -----Original Message----- > From: Daniel [mailto:5960761@xxxxxxxxx] > Sent: dinsdag 14 augustus 2018 16:55 > To: Vink, Ronald > Subject: Re: cant get ftp forwarding working > > I just checked my ftp server which is pure-ftp if the connection is > active redirecting port 21 should be enough. For passive connection i > have redirection on ports 31500-31600 but this should be explicitly > mention in the ftp configuration. So please check your server > configuration as the iptables rules looks Ok to me. > > On 14.08.2018 16:41, Vink, Ronald wrote: > > Daniel > > The requested outputs for both systems > > =============================== > > uname -a > > Linux minos2.vla.boka 3.5.4-vessel #2 SMP Thu Apr 10 09:13:39 CEST 2014 > i686 i686 i386 GNU/Linux > > > > iptables -L > > Chain INPUT (policy ACCEPT) > > target prot opt source destination > > > > Chain FORWARD (policy ACCEPT) > > target prot opt source destination > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > > > iptables -t nat -L > > Chain PREROUTING (policy ACCEPT) > > target prot opt source destination > > DNAT tcp -- anywhere anywhere tcp dpt:ftp > to:10.10.203.10:21 > > > > Chain INPUT (policy ACCEPT) > > target prot opt source destination > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > > > Chain POSTROUTING (policy ACCEPT) > > target prot opt source destination > > MASQUERADE all -- anywhere anywhere > > > > net.ipv4.ip_forward = 1 > > ========================================= > > uname -a > > Linux minos1.vla.boka 4.9.59-vessel #2 SMP Tue Jul 17 08:27:20 CEST 2018 > i686 i686 i686 GNU/Linux > > > > iptables -L > > Chain INPUT (policy ACCEPT) > > target prot opt source destination > > > > Chain FORWARD (policy ACCEPT) > > target prot opt source destination > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > > > iptables -t nat -L > > Chain PREROUTING (policy ACCEPT) > > target prot opt source destination > > DNAT tcp -- anywhere anywhere tcp dpt:ftp > to:10.10.203.10:21 > > > > Chain INPUT (policy ACCEPT) > > target prot opt source destination > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > > > Chain POSTROUTING (policy ACCEPT) > > target prot opt source destination > > MASQUERADE all -- anywhere anywhere > > > > net.ipv4.ip_forward = 1 > > ================================== > > > > Thanks, > > Ronald > > > >> Hello > >> Please provide the output of : > >> " iptable -L " and " iptable -t nat -L " also " sysctl > >> net.ipv4.ip_forward " > >> > >> On 14.08.2018 15:37, Vink, Ronald wrote: > >>> I want to forward ftp traffic from outside to a server in a local network. > >>> I am using active ftp connection. > >>> It is working with a 3.5.4 kernel system, but not on a newer 4.9.59 > >>> > >>> eth0 eth1 > >>> |--------------------------| local |-------------------------------------------- > >> | company |----------------------------| > >>> |proftpd 10.10.203.10 |------------|10.10.203.150 Gateway 10.141.12.21|- > --- > >> -VPN----|10.101.34.25 ftp client | > >>> |--------------------------| network |-------------------------------------------- > >> | |----------------------------| > >>> Working rules in 3.5.4 kernel system : > >>> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > >>> iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 21 -j DNAT --to- > >> destination 10.10.203.10:21 > >>> I have tried with all sorts of different rules, but have not been able to > make > >> it work. > >>> Tried to google it, but found no working example. > >>> Any hints? > >>> > >>> Ronald > >>> > >>> > >> -- > >> Best regards, > >> Daniel > > > -- > Best regards, > Daniel
