Hi all,
My apologies if that has been answered. It has been more than long half day to get my ftp server working. But no luck yet. here what my setup is,

internet--->linux router--->ftpserver(FileZilla on Windows XP) and someother PCs.

if you asked why dont i run ftp server on linux, I have ispconfig with http,email and other services running on linux box. the ftp server on windoes is just general purposes, not critical one.
the below command was done for ftp DNAT with no luck.
$IPT -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 20:21 -j DNAT --to 192.168.1.3
I can access ftp server on XP in LAN, but not from outside world. Below is my iptables .
########################iptables config########################
#!/bin/bash

IPT="/sbin/iptables"
LOADMOD="/sbin/modprobe"
###########################################################################
#
# Internet Configuration.
#
INET_IFACE="ppp0"
INET_IP="X.X.X.X"
NAMESERVER_1="203.X.X.X"
NAMESERVER_2="203.X.X.1"

###########################################################################
#
# Local Area Network configuration.
#
LAN_IFACE="eth0"
LAN_IP="192.168.1.1"
LAN_BCAST_ADD="192.168.1.255"
LAN_IPRANGE="192.168.1.0/24"

###########################################################################
#
# Localhost Configuration.
#
LO_IFACE="lo"
LO_IP="127.0.0.1"

############ Begin the NAT table operations #####################

#Flash all rules in the NAT table
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X #deletes every non-builtin chain in the table

#load modules for ftp
$LOADMOD ip_nat_ftp

#enable ip_forward
echo 1 >> /proc/sys/net/ipv4/ip_forward
#echo 1 >> /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#echo 1 >> /proc/sys/net/ipv4/icmp_echo_ignore_all

###########################################################################
#
# 4. IPTables rules set up.
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains.
#
$IPT -P INPUT ACCEPT #DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

#
# Do some checks for obviously spoofed IP's
#
$IPT -A INPUT -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPT -A INPUT -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPT -A INPUT -i $INET_IFACE -s 172.16.0.0/12 -j DROP

#blocking Yan Naung computer mac address
#iptables -A FORWARD -i eth0 -m mac --mac-source 00:16:e6:d7:04:92 -j LOG --log-prefix xxxxx
#iptables -A FORWARD -i eth0 -m mac --mac-source 00:16:e6:d7:04:92 -j DROP

##############################################################################
#
#ALLOWING PARTS
#

#
# Rules for special networks not part of the Internet
#
$IPT -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADD -j ACCEPT
$IPT -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPT -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IPRANGE -j ACCEPT

#allow DNS request
$IPT -t nat -A POSTROUTING -o $INET_IFACE -d $NAMESERVER_1 -p UDP --dport 53 -j SNAT --to X.X.X.X
$IPT -t nat -A POSTROUTING -o $INET_IFACE -d $NAMESERVER_2 -p UDP --dport 53 -j SNAT --to X.X.X.X

#allow ping
$IPT -A INPUT -p ICMP -j ACCEPT

#allow SSH
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT

#allow WEB server, Email server, ISPCONFIG
#iptables -t nat -A PREROUTING -i $IFACE -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1
$IPT -A INPUT -p tcp --dport 80:81 -j ACCEPT
$IPT -A INPUT -p tcp --dport 110 -j ACCEPT
$IPT -A INPUT -p tcp --dport 25 -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -j ACCEPT

#allow ASTERISK VOIP Server
$IPT -A INPUT -p tcp --dport 5060:5061 -j ACCEPT
$IPT -A INPUT -p udp --dport 5060:5061 -j ACCEPT
$IPT -A INPUT -p udp --dport 10000:20000 -j ACCEPT
$IPT -A FORWARD -o $INET_IFACE -p udp --dport 5060:5061 -j ACCEPT
$IPT -A FORWARD -o $INET_IFACE -p tcp --dport 5060:5061 -j ACCEPT
$IPT -A FORWARD -o $INET_IFACE -p udp --dport 10000:20000 -j ACCEPT

#allow ftp server at 192.168.1.3**************************************
$IPT -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 20:21 -j DNAT --to 192.168.1.3

#allow already establashed connections
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow forward any related/establashed packets from $INET_IFACE to LAN
$IPT -A FORWARD -i $INET_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow any outputs from LAN
$IPT -A INPUT -m state --state NEW -i ! $INET_IFACE -j ACCEPT
#allow forward anything from LAN to INTERNET
$IPT -A FORWARD -i $LAN_IFACE -o $INET_IFACE -j ACCEPT

#################avoid looping############################
$IPT -A FORWARD -i $INET_IFACE -o $INET_IFACE -j REJECT

#SNAT/MASQUEADE to INTERNET
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to X.X.X.X

disable/flush you firewall and see the port status 21 you can use nmap from linux box and try again ...

Hummm,
strange, when i nmap, I dont even see port 21 there, that's what i got, when nmaped, nmap is done from another computer.any ideas??

PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
81/tcp open hosts2-ns
110/tcp open pop3
111/tcp open rpcbind
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
833/tcp open unknown
901/tcp open samba-swat
993/tcp open imaps
995/tcp open pop3s
2000/tcp open callbook
3306/tcp open mysql

Is you ftp running ?..check/recheck and restart see the /var/log/messages after restarting it.

you better try to nmap your windows based server first, it is to know that the FTP service is available in that server.


$IPT -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 20:21 -j DNAT --to 192.168.1.3

normally i just only allow port 21 to be forwarded into internal server and it works for my network, try remove port 20.


then try below command at your firewall ...

modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

Hi
thanks for replies, the ftp server can be connected inside LAN, it just seems iptables is not DNATing it. I need to fiddle around a bit more, I guess.