[SOLVED] Port forwarding problem

user100 · 09-28-2010, 10:24 PM

Hi,

I can't port forward to ftp behind my firewall, I tried several attempts but none worked.

Can anyone help me solve this?

Thanks.

evo2 · 09-28-2010, 10:35 PM

It's a bit hard to understand exactly what you are trying to do. Could you give some more details about your network setup, what you want to achieve and what methods you have tried already?

Evo2.

user100 · 09-28-2010, 11:31 PM

Yea sure.

Using a slackware 10.2 machine to basically share internet with a bit of a firewall on it.
Also slackware machines behind it, one win2k.

eth0 for internet and eth1 to forward it to my LAN. The port forwarding works, ssh and webserver. The only thing that doesn't work is port forwarding ftp.

I tried using mobprobe conntrack and mobprobe conntrack_ftp.

I used this for the other port forward which worked:

Code:

iptables -t nat -I PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to 192.168.x.xx:21

And a few different combinations and combinations I found on this forum, which I kinda lost track of but they didn't work.

evo2 · 09-29-2010, 01:02 AM

Hi,

So, for http you have a line exactly the same except you have "80" instead of "21". If that is the case I think the problem could be with your ftp server. Have you checked it's logs? Perhaps it only accepts connections from the localhost?

One other thing that might be worth checking: Does the following work (use append instead of insert)?

Code:

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to 192.168.x.xx

Evo2.

user100 · 09-29-2010, 02:45 AM

No with -A it doesn't work at all.

Yea for 80 and others its the same except port 80 and 192.168.x.xx:80, with that at the end as well.

I read that it could be ftp's pasv problem which prevents it from port forwarding. The ftp server works fine though, I tried from inside my network logging in and that works. So it should from the outside as well.

A few times it would login from the outside but only half way. Like it would open the home directory in the left window but it will try to keep connecting and not finish or complete the login and timeout after some time. Its kinda weird.

prayag_pjs · 09-29-2010, 03:12 AM

Try this link

http://www.cyberciti.biz/faq/iptables-open-ftp-port-21/

user100 · 09-29-2010, 03:58 AM

Yes thats the link with modprobe conntrack that I tried and didn't work.

prayag_pjs · 09-29-2010, 04:07 AM

Can you put the your iptables rules here?
Also output of:

Quote:

iptalbes -L

user100 · 09-29-2010, 04:25 PM

Firewall rules are:

And iptables -L:

prayag_pjs · 09-29-2010, 11:17 PM

Hi try the script given below;it works for me ...You make the necessary changes as per your requirement!

Quote:

#!/bin/sh

/sbin/modprobe ip_conntrack_ftp

# Interface to Internet
EXTIF=ppp+

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -F FORWARD
iptables -F INPUT
iptables -F OUTPUT

#Allow internal lan ping reuest...
SERVER_IP="192.168.1.4"

iptables -A INPUT -p icmp --icmp-type 8 -s 192.168.1.0/24 -d $SERVER_IP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -s $SERVER_IP -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH, FTP, and HTTP Connections
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -p udp --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
# iptables -A INPUT -p tcp --dport 60000:60100 -j ACCEPT
iptables -I INPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Deny TCP and UDP packets to privileged ports
iptables -A INPUT -p udp -i $EXTIF --dport 0:1023 -j LOG
iptables -A INPUT -p tcp -i $EXTIF --dport 0:1023 -j LOG
iptables -A INPUT -p udp -i $EXTIF --dport 0:1023 -j DROP
iptables -A INPUT -p tcp -i $EXTIF --dport 0:1023 -j DROP
# Deny TCP connection attempts
iptables -A INPUT -i $EXTIF -p tcp --syn -j LOG
iptables -A INPUT -i $EXTIF -p tcp --syn -j DROP

# Deny ICMP echo-requests
iptables -A INPUT -i $EXTIF -p icmp --icmp-type echo-request -j DROP

user100 · 09-29-2010, 11:31 PM

Thanks.

I solved it with:

Code:

modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
iptables -t nat -I PREROUTING -d internetIP -p tcp -m tcp --dport 1121 -j DNAT --to-destination LANIP:21