LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-24-2008, 05:48 AM   #1
dumbsheep
Member
 
Registered: Jan 2005
Location: USA
Distribution: Red Hat, CentOS, Fedora, Suse
Posts: 54

Rep: Reputation: 15
Exclamation iptables - Forward All FTP to Other Server


All,

Hello. So here is my issue in a nutshell. I need to take FTP requests that hit Server_A and forward them to Server_B. Server_B is not natted...Server_B is another public server in a completely different location in the world. One thing to note is that I only have one NIC hence why you will see both in and out being eth0. This is what I have in my iptables on SERVER_A:

iptables -A FORWARD -p tcp -i eth0 --sport 21 -o eth0 -d SERVER_B --dport 21 -m state --state NEW -j ACCEPT

iptables -A FORWARD -p tcp -i eth0 --sport 20 -o eth0 -d SERVER_B --dport 20 -m state --state NEW -j ACCEPT

I've also tried both of the above without the --sport option. When I FTP to SERVER_A (where the above iptables rule are) it connects to SERVER_A instead of forwarding them to SERVER_B. Any help would be greatly appreciated. Thanks in advance!

/dumbsheep
 
Old 12-25-2008, 06:03 PM   #2
naghi32
Member
 
Registered: Dec 2008
Distribution: Slackware
Posts: 39

Rep: Reputation: 17
iptables -t nat -A PREROUTING -p tcp --dport 20 -j DNAT --to ip.server.b.xx
iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to ip.server.b.xx

this will change the packets destination ( dst ) to go too server.b
replace ip.server.b.xx with the ip of server b
remember this will use your bandwidth for all transfers
because all data will pas thru you
oh and for the connections to come back i think you`l have to do a snat also :|

iptables -t nat -A POSTROUTING -m state --state ESTABLISHED,RELATED -p tcp --sport 20 -j SNAT --to ip.server.a.xx

i used state to make sure other packets can`d be snated except for established and related connections with sourceport 20
note that YOU SHOULD also put the ip.server.b.xx address in the above ... just to be sure
 
Old 11-25-2011, 11:41 AM   #3
PatriceJ
LQ Newbie
 
Registered: Oct 2008
Distribution: Debian
Posts: 21

Rep: Reputation: 0
Post Passive FTP does not work

It is exactly what I want to do but it does not work for passive FTP.

As you know, passive FTP uses two ports, 21 that gives the commands and any port from about 30000 to 65000 to transfer the data.

When the client reaches the final FTP server (B server) it has the IP of the A server (as the client IP was Nated), the B server answers with the port number to use for data transfer, this answer goes through A server then to the client.

At this moment the client knows what port to use for data transfer and try to connect to this port.

The problem is that the client instead of connecting to the A server that forward to the B server, it goes directly into the B server which do not know what it wants as the IP is, of course, different from the A server (that Nated the client IP) to which it answered earlier.

How is it possible to have the client connect to the data port through the same path (Client ==>Server ==>A ==> Server B) ?

Does anybody as a solution for that problem?

Thank you in advance
 
Old 11-25-2011, 07:01 PM   #4
TimothyEBaldwin
Member
 
Registered: Mar 2009
Posts: 249

Rep: Reputation: 27
Code:
modprobe nf_nat_ftp
iptables -t nat -A PREROUTING -p tcp -d serverA --dport 21 -j DNAT --to-destination serverB
This won't work if server B and the client decide to use IPv6.

You may need a SNAT rule if the route from server B doesn't go via server A.
Code:
iptables -t nat -A PREROUTING -p tcp -d serverB --dport 21 -j SNAT --to-source serverA

Last edited by TimothyEBaldwin; 11-25-2011 at 07:09 PM.
 
Old 11-26-2011, 08:38 AM   #5
PatriceJ
LQ Newbie
 
Registered: Oct 2008
Distribution: Debian
Posts: 21

Rep: Reputation: 0
Thank you Timothy for your time.

My problem is not on port 21 it on the port used to transfer data (port 30000 to 65000), they are opened after port 21 on a second connexion. It is this second connection that is posing problems.
 
Old 11-27-2011, 04:18 PM   #6
TimothyEBaldwin
Member
 
Registered: Mar 2009
Posts: 249

Rep: Reputation: 27
That's why I suggested loading nf_nat_ftp. It should dynamically forward ports and rewrite the addresses in FTP control traffic, unless the data connection using IPv6.

Is the data connection using IPv6?

What version if Linux?
 
Old 11-28-2011, 02:08 AM   #7
PatriceJ
LQ Newbie
 
Registered: Oct 2008
Distribution: Debian
Posts: 21

Rep: Reputation: 0
It is not using IPv6.
I'm using a Debian and I guess the nf_nat_ftp is loaded by default
 
Old 12-05-2011, 06:48 AM   #8
PatriceJ
LQ Newbie
 
Registered: Oct 2008
Distribution: Debian
Posts: 21

Rep: Reputation: 0
Timothy thank you as you put the finger on what was my problem.

I had to activate
ip_conntrack_ftp
For those who need to know with this command:

modprobe ip_conntrack_ftp

and now it works perfectly

I did it on my test machine, I will now put it into "production" and will let everybody know the procedure with IP tables rules.




 
Old 12-11-2011, 11:34 AM   #9
PatriceJ
LQ Newbie
 
Registered: Oct 2008
Distribution: Debian
Posts: 21

Rep: Reputation: 0
Well it worked perfectly on two different test machine but not on the one that I want to...can you believe it ?
I have done the same setup but I cannot get the data port to work all the time!

On the same PC if I connect to the FTP server with Firefox it works well all the time, if I try with FileZilla it does not work, I cannot list file and folder.
If I try from my iPhone using my home Wifi it works all the time, if I try using the same iPhone using the G3 connexion it does not work. If I try with the same iPhone from another Wifi spot, it does not work.

So, sometime it works, sometime it does not work, of course I cannot say "it is OK" I have to find why...

The only difference on the 3 servers, is that the one that does not work is not connected to a router, it is connect "directly" on Internet through the data center equipment (their equipment is supposed to be transparent).

I'm stuck, any idea ?
 
Old 12-22-2011, 04:51 PM   #10
PatriceJ
LQ Newbie
 
Registered: Oct 2008
Distribution: Debian
Posts: 21

Rep: Reputation: 0
I'm still stuck, nobody has an idea?
 
  


Reply

Tags
firewall, forwarding, ftp, iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables: forward traffic through server Swakoo Linux - Networking 3 03-30-2008 11:59 PM
how to Port forward web server using iptables wilper Linux - Networking 1 04-15-2007 12:39 PM
My router has a ftp server and won't forward the port greeklegend Linux - Server 6 09-10-2006 02:41 AM
Forward SMTP to another server (SuSE with iptables) baetmaen Linux - Security 2 02-11-2006 02:05 PM
Forward to another ftp-server with pure-ftpd didi86 Linux - Software 0 12-20-2004 12:55 PM


All times are GMT -5. The time now is 01:58 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration