[Cialug] ftp nat iptables

Zachary Kotlarek zach at kotlarek.com
Fri Jul 24 14:52:55 CDT 2009


On Jul 24, 2009, at 2:36 PM, Matthew Nuzum wrote:

> I mess w/ this at most once per year. Long enough to forget  
> everything.
>
> I have a machine w/ one internet interface and one private network  
> interface. There are three IPs on the internet interface. I have a  
> virtual machine on the private interface w/ IP 192.168.99.100. I  
> want to be able to FTP to the internet interface at 69.60.125.100  
> and connect to the ftp server running on the VM.
>
> I had this working before but that server died. The rule that I used  
> (modified for the correct IPs) is below, but it's not working. Can  
> anyone give a hand?
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 69.60.125.100 -- 
> dport 21 --sport 1024:65535 -j DNAT --to 192.168.99.100:21
>
> I'm using similar rules for http, smtp and pop3 and they work fine.  
> I suspect there is something I forgot to make note of.
>
> When I try to login via FTP I can connect but I can't list any  
> files. It sits and does nothing for a long time using command line  
> ftp client, using filezilla (which tries passive mode) it says:


You need two things:

1. A rule to allow related traffic:
	iptables --append $CHN --match state --state ESTABLISHED,RELATED -- 
jump ACCEPT

Since FTP opens a second connection -- to some port other than 21 --  
to actually transfer data the firewall needs to know to allow that  
connection, which can only reasonably be accomplished with the RELATED  
state match.

2. To load these to kernel modules:
	nf_conntrack_ftp
	nf_nat_ftp
The first one provides generic FTP connection tracking, so that the  
RELATED state will match FTP data connections. The second allows the  
connection tracking to work even across NAT, which will fix the  
"unroutable address" warning you see in the client (as well as allow  
less-smart client to connect in passive mode).

	Zach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2746 bytes
Desc: not available
Url : http://cialug.org/pipermail/cialug/attachments/20090724/e50bd7c5/attachment.bin 


More information about the Cialug mailing list