Visit the LQ Articles and Editorials section
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 10-15-2004, 02:37 AM   #1
LQ Newbie
Registered: Jun 2004
Posts: 6

Rep: Reputation: 0
FTP port forwarding


I have a Slack 9.1 webserver sitting behind a Slack 9.1 firewall. The firewall is running iptables with a pretty sophisticated set of chains (I didn't design them). I recently modified the firewall rules to forward all port 80 traffic from the outside through the firewall and to the router. It works great.

Now, I would like to do the same thing with FTP, but it is not working. Below are my iptables rules. Is it possible to forward both port 21 and 22, or could it work in passive mode? Any help is appreciated.


# Generated by iptables-save v1.2.8 on Tue Sep 21 05:32:59 2004
-A PREROUTING -d -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
# Completed on Tue Sep 21 05:32:59 2004
# Generated by iptables-save v1.2.8 on Tue Sep 21 05:32:59 2004
:INPUT DROP [22:1584]
:allowed - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_packets - [0:0]
:udp_packets - [0:0]
-A INPUT -p tcp -j bad_tcp_packets
-A INPUT -s -i eth1 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -j tcp_packets
-A INPUT -i eth0 -p udp -j udp_packets
-A INPUT -i eth0 -p icmp -j icmp_packets
-A INPUT -i eth1 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A FORWARD -p tcp -j bad_tcp_packets
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -d -i eth0 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -j bad_tcp_packets
-A OUTPUT -o eth0 -j ACCEPT
-A allowed -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A allowed -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A allowed -p tcp -j DROP
-A bad_tcp_packets -p tcp -m state --state NEW -m tcp --tcp-flags SYN,ACK SYN,ACK -j REJECT --reject-with tcp-reset
-A bad_tcp_packets -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK SYN -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A tcp_packets -p tcp -m tcp --dport 22 -j allowed
-A tcp_packets -p tcp -m tcp --dport 80 -j allowed
-A tcp_packets -p tcp -m tcp --dport 20:21 -j allowed
-A udp_packets -s -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A udp_packets -i eth0 -p udp -m udp --dport 135:139 -j DROP
-A udp_packets -d -i eth0 -p udp -m udp --dport 67:68 -j DROP
# Completed on Tue Sep 21 05:32:59 2004


Old 10-15-2004, 06:49 AM   #2
LQ Guru
Registered: Aug 2003
Location: Sydney, Australia
Distribution: Gentoo
Posts: 1,796

Rep: Reputation: 47
In most cases you want the clients to use Passive mode, because you have no control over client's firewall which may or may not properly allow Active mode.
In order for Passive mode to work, you need to map port 21 as well as passive ports you specify in your FTP daemon, which by default uses random >1024 ports.

In Proftpd you can use for example:
PassivePorts 40000 40100

The equivalent in vsftpd:

then you map port 21 as well as port 40000-40100, assuming is the ftp server:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 40000:40100 -j DNAT --to-destination

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j DNAT --to-destination

As for active mode you only need to load "ip_nat_ftp" module and allow outgoing traffic from your port 20, but as mentioned previously it may or may not work(should work in most cases though) depending on the client firewall.

Last edited by Demonbane; 10-15-2004 at 06:52 AM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 07:35 PM
Simple Port Forwarding Firewall - not forwarding MadTurki Linux - Security 14 04-09-2006 12:08 PM
port forwarding using iptables (ftp) spank Linux - Newbie 3 01-20-2004 06:14 AM
Problem With FTP and Maybe Port forwarding ComFox Linux - Networking 1 09-19-2002 10:16 PM
ftp and ftp port forwarding with IPtables?? FunkFlex Linux - Security 3 04-24-2002 03:03 AM

All times are GMT -5. The time now is 04:32 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration