iptables and forwarding for ftp - how?

Discussion in 'Server Operation' started by tom, May 11, 2006.

  1. tom

    tom Member

    I need to forward the ftp trafic.

    Whith my ftp client I can log in but I don't see anything - no file, no directory.
    This are my rules:
    Code:
        iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j DNAT --to-destination 10.0.1.1
    
        iptables -A FORWARD -i eth0 -m state --state NEW -p tcp -d 10.0.1.1 --dport 21 -j ACCEPT
    
        iptables -t nat -A POSTROUTING -o vif1.0 -p tcp --dport 21 -j SNAT --to-source 10.0.1.1 
    That's the log from me ftpclient filezilla:
    Code:
    Befehl:	USER web4_abc
    Antwort:	331 Password required for web4_abc.
    Befehl:	PASS *****
    Antwort:	230 User web4_abc logged in.
    Befehl:	FEAT
    Antwort:	211-Features:
    Antwort:	211-MDTM
    Antwort:	211-REST STREAM
    Antwort:	211-SIZE
    Antwort:	211 End
    Befehl:	SYST
    Antwort:	215 UNIX Type: L8
    Status:	Verbindung hergestellt
    Status:	Verzeichnisinhalt wird abgeholt...
    Befehl:	PWD
    Antwort:	257 "/" is current directory.
    [COLOR="Red"]Befehl:	PORT 192,168,1,4,14,24[/COLOR]
    This last red line I don't understand
     
    Last edited: May 11, 2006
  2. gabriele

    gabriele New Member

    Would be better to know what linux you have and what ftpd you use , anyway these are my iptables :
    # FTP
    /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $GATEWAY --dport 21 -j DNAT --to $FTP:21
    /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $GATEWAY --dport 20 -j DNAT --to $FTP:20

    If you have a default DROP also:
    /sbin/iptables -A FORWARD -i eth0 -p tcp -d $FTP -m multiport --dports 20,21 -j ACCEPT

    ... and if you use passive ftp and ... if ... you have proftpd go to proftpd.conf and assigne passive ftp ports : PassivePorts(i say best)60000:65535 and in iptables .
    ciao !
     
  3. tom

    tom Member

    I'm using debian3.1 and proftp
    Why do you use multiport?
     
  4. gabriele

    gabriele New Member

    It's an iptables function you can target as many ports as you need.FTPD in particular needs an extra tcp port for data-transfer (20) + ,as i sayd above, if you do passive ftp, it can use any port from 30000 to 65535(if i'm not wrong) so becomes a bit difficult to configure in the firewall unless you don't declare it it the configuration as i sayd !
     

Share This Page