> -----Original Message----- > From: Pablo Neira Ayuso [mailto:pablo@xxxxxxxxxxxxx] > Sent: donderdag 16 augustus 2018 10:44 > To: Vink, Ronald > Cc: Daniel; netfilter@xxxxxxxxxxxxxxx > Subject: Re: cant get ftp forwarding working > > On Wed, Aug 15, 2018 at 08:16:29AM +0000, Vink, Ronald wrote: > > I did not change any proftpd settings , they are the default installation. I > have to use active connection > > The suggested line " iptables -t nat -A PREROUTING -p tcp --dport 20:21 -j > DNAT --to-destination 10.10.203.10" made no difference. > > I started the proftpd in the foreground with debug output, but there is no > output when I try to connect via 4.9.59 system, the client just times-out. > > With the 3.5.4 system I can see the connection coming in and responses to > "ls" command in my ftp client. > > > > Does it have something to do with conntrack ? > > Did you add the rule to enable the FTP conntrack helper? > > https://home.regit.org/netfilter-en/secure-use-of-helpers/ > > Otherwise, there's a fallback to reenable the unsecure behaviour: > > echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper > > but that may go away at some point. Setting /proc/sys/net/netfilter/nf_conntrack_helper to 1 does not help. >From the webste I added the line iptables -A PREROUTING -t raw -p tcp --dport 21 -d 10.10.203.10 -j CT --helper ftp but no result, tried with nf_conntrack_helper 0 and 1, with a reboot in between to be shure. Nothing. Can you give me a minimal set of rules to make it working ?
