Le 14/08/2018 à 14:37, Vink, Ronald a écrit : > I want to forward ftp traffic from outside to a server in a local network. > I am using active ftp connection. > It is working with a 3.5.4 kernel system, but not on a newer 4.9.59 > > eth0 eth1 > |--------------------------| local |--------------------------------------------| company |----------------------------| > |proftpd 10.10.203.10 |------------|10.10.203.150 Gateway 10.141.12.21|-----VPN----|10.101.34.25 ftp client | > |--------------------------| network |--------------------------------------------| |----------------------------| > > Working rules in 3.5.4 kernel system : > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 21 -j DNAT --to-destination 10.10.203.10:21 > > I have tried with all sorts of different rules, but have not been able to make it work. > Tried to google it, but found no working example. > Any hints? > > Ronald > > There was a change in kernel 4.7 (which was warned about several kernels before, maybe not 3.5). Default port handling of helper modules was turned off and should be explicitly stated in iptables' raw table with the CT target. https://www.spinics.net/lists/netfilter/msg56874.html A good pointer about what change should be done, if you don't just turn back on the automatic feature: https://home.regit.org/netfilter-en/secure-use-of-helpers/ regards, Adel Belhouane.
