[Cialug] ftp nat iptables

Matthew Nuzum newz at bearfruit.org
Fri Jul 24 14:36:53 CDT 2009


I mess w/ this at most once per year. Long enough to forget everything.

I have a machine w/ one internet interface and one private network
interface. There are three IPs on the internet interface. I have a virtual
machine on the private interface w/ IP 192.168.99.100. I want to be able to
FTP to the internet interface at 69.60.125.100 and connect to the ftp server
running on the VM.

I had this working before but that server died. The rule that I used
(modified for the correct IPs) is below, but it's not working. Can anyone
give a hand?

iptables -t nat -A PREROUTING -p tcp -i eth0 -d 69.60.125.100 --dport 21
--sport 1024:65535 -j DNAT --to 192.168.99.100:21

I'm using similar rules for http, smtp and pop3 and they work fine. I
suspect there is something I forgot to make note of.

When I try to login via FTP I can connect but I can't list any files. It
sits and does nothing for a long time using command line ftp client, using
filezilla (which tries passive mode) it says:

Server sent passive reply with unroutable address. Using server address
instead.
Command: LIST
Error: Connection timed out
Error: failed to retrieve directory listing

Here are the other rules I have at the top of my iptables script:

# enable nat/forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE

# is this necessary?
iptables --append FORWARD --in-interface eth1 -j ACCEPT


-- 
Matthew Nuzum
newz2000 on freenode, skype, linkedin, identi.ca and twitter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cialug.org/pipermail/cialug/attachments/20090724/0cf54721/attachment.htm 


More information about the Cialug mailing list