[Cialug] ftp nat iptables
Matthew Nuzum
newz at bearfruit.org
Fri Jul 24 15:56:08 CDT 2009
Thanks. For the archives, $CHN is PREROUTING -t nat and the modules are
ip_nat_ftp and ip_conntrack_ftp
On Fri, Jul 24, 2009 at 2:52 PM, Zachary Kotlarek <zach at kotlarek.com> wrote:
>
> On Jul 24, 2009, at 2:36 PM, Matthew Nuzum wrote:
>
> I mess w/ this at most once per year. Long enough to forget everything.
>>
>> I have a machine w/ one internet interface and one private network
>> interface. There are three IPs on the internet interface. I have a virtual
>> machine on the private interface w/ IP 192.168.99.100. I want to be able to
>> FTP to the internet interface at 69.60.125.100 and connect to the ftp server
>> running on the VM.
>>
>> I had this working before but that server died. The rule that I used
>> (modified for the correct IPs) is below, but it's not working. Can anyone
>> give a hand?
>>
>> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 69.60.125.100 --dport 21
>> --sport 1024:65535 -j DNAT --to 192.168.99.100:21
>>
>> I'm using similar rules for http, smtp and pop3 and they work fine. I
>> suspect there is something I forgot to make note of.
>>
>> When I try to login via FTP I can connect but I can't list any files. It
>> sits and does nothing for a long time using command line ftp client, using
>> filezilla (which tries passive mode) it says:
>>
>
>
> You need two things:
>
> 1. A rule to allow related traffic:
> iptables --append $CHN --match state --state ESTABLISHED,RELATED
> --jump ACCEPT
>
> Since FTP opens a second connection -- to some port other than 21 -- to
> actually transfer data the firewall needs to know to allow that connection,
> which can only reasonably be accomplished with the RELATED state match.
>
> 2. To load these to kernel modules:
> nf_conntrack_ftp
> nf_nat_ftp
> The first one provides generic FTP connection tracking, so that the RELATED
> state will match FTP data connections. The second allows the connection
> tracking to work even across NAT, which will fix the "unroutable address"
> warning you see in the client (as well as allow less-smart client to connect
> in passive mode).
>
> Zach
>
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
>
--
Matthew Nuzum
newz2000 on freenode, skype, linkedin, identi.ca and twitter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cialug.org/pipermail/cialug/attachments/20090724/6ab2da33/attachment.htm
More information about the Cialug
mailing list