Hi.
I have problems getting passive FTP working.
My setup is like this:
Internet --> Router(public IP) --> FTP-Server (192.168.177.22/32)
I have these rules set up in my firewall:
(ens3 is the interface facing the public internet,
br0 is the internal network interface)
*filter
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A forward-handling -m conntrack --ctstate NEW -i br0 -o ens3 -s
192.168.177.0/24 -j ACCEPT # Is there a RELATED missing?
-A forward-handling -m conntrack --ctstate NEW -i ens3 -o br0 -d
192.168.177.22/32 -p tcp -m multiport --dports 20,21 -j ACCEPT
*nat
-A PREROUTING -i ens3 -p tcp --dport 20 -j DNAT --to-destination
192.168.177.22:20
-A PREROUTING -i ens3 -p tcp --dport 21 -j DNAT --to-destination
192.168.177.22:21
Active FTP is working, so do all other services except passive ftp.
I am on ubuntu 18.04 lts and have loaded, which are said to fix passive
ftp issues:
ip_conntrack_ftp
ip_nat_ftp
in /etc/modules
Wondering, why this output is there in lsmod
(ip_*_ftp is named nf_*_ftp):
root@fw:~# lsmod | grep ftp
nf_nat_ftp 16384 0
nf_nat 32768 3 nf_nat_ftp,nf_nat_ipv4,xt_nat
nf_conntrack_ftp 20480 1 nf_nat_ftp
nf_conntrack 131072 7
xt_conntrack,nf_conntrack_ipv4,nf_nat,nf_nat_ftp,nf_nat_ipv4,xt_nat,nf_conntrack_ftp
What am I doing wrong?
Thanks,
Stefanie
