iptables - Forward All FTP to Other Server
Hello. So here is my issue in a nutshell. I need to take FTP requests that hit Server_A and forward them to Server_B. Server_B is not natted...Server_B is another public server in a completely different location in the world. One thing to note is that I only have one NIC hence why you will see both in and out being eth0. This is what I have in my iptables on SERVER_A:
iptables -A FORWARD -p tcp -i eth0 --sport 21 -o eth0 -d SERVER_B --dport 21 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --sport 20 -o eth0 -d SERVER_B --dport 20 -m state --state NEW -j ACCEPT
I've also tried both of the above without the --sport option. When I FTP to SERVER_A (where the above iptables rule are) it connects to SERVER_A instead of forwarding them to SERVER_B. Any help would be greatly appreciated. Thanks in advance! :)
iptables -t nat -A PREROUTING -p tcp --dport 20 -j DNAT --to ip.server.b.xx
iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to ip.server.b.xx
this will change the packets destination ( dst ) to go too server.b
replace ip.server.b.xx with the ip of server b
remember this will use your bandwidth for all transfers
because all data will pas thru you :)
oh and for the connections to come back i think you`l have to do a snat also :|
iptables -t nat -A POSTROUTING -m state --state ESTABLISHED,RELATED -p tcp --sport 20 -j SNAT --to ip.server.a.xx
i used state to make sure other packets can`d be snated except for established and related connections with sourceport 20
note that YOU SHOULD also put the ip.server.b.xx address in the above ... just to be sure :)
Passive FTP does not work
It is exactly what I want to do but it does not work for passive FTP.
As you know, passive FTP uses two ports, 21 that gives the commands and any port from about 30000 to 65000 to transfer the data.
When the client reaches the final FTP server (B server) it has the IP of the A server (as the client IP was Nated), the B server answers with the port number to use for data transfer, this answer goes through A server then to the client.
At this moment the client knows what port to use for data transfer and try to connect to this port.
The problem is that the client instead of connecting to the A server that forward to the B server, it goes directly into the B server which do not know what it wants as the IP is, of course, different from the A server (that Nated the client IP) to which it answered earlier.
How is it possible to have the client connect to the data port through the same path (Client ==>Server ==>A ==> Server B) ?
Does anybody as a solution for that problem?
Thank you in advance
You may need a SNAT rule if the route from server B doesn't go via server A.
Thank you Timothy for your time.
My problem is not on port 21 it on the port used to transfer data (port 30000 to 65000), they are opened after port 21 on a second connexion. It is this second connection that is posing problems.:confused:
That's why I suggested loading nf_nat_ftp. It should dynamically forward ports and rewrite the addresses in FTP control traffic, unless the data connection using IPv6.
Is the data connection using IPv6?
What version if Linux?
It is not using IPv6.
I'm using a Debian and I guess the nf_nat_ftp is loaded by default
Timothy thank you as you put the finger on what was my problem.
I had to activate ip_conntrack_ftp
For those who need to know with this command:
and now it works perfectly :)
I did it on my test machine, I will now put it into "production" and will let everybody know the procedure with IP tables rules.
Well it worked perfectly on two different test machine but not on the one that I want to...can you believe it ?
I have done the same setup but I cannot get the data port to work all the time!
On the same PC if I connect to the FTP server with Firefox it works well all the time, if I try with FileZilla it does not work, I cannot list file and folder.
If I try from my iPhone using my home Wifi it works all the time, if I try using the same iPhone using the G3 connexion it does not work. If I try with the same iPhone from another Wifi spot, it does not work.
So, sometime it works, sometime it does not work, of course I cannot say "it is OK" I have to find why...
The only difference on the 3 servers, is that the one that does not work is not connected to a router, it is connect "directly" on Internet through the data center equipment (their equipment is supposed to be transparent).
I'm stuck, any idea ?
I'm still stuck, nobody has an idea?
|All times are GMT -5. The time now is 07:57 PM.|