LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   FTP Server behind NAT (IPtables) List FTP directories Problem (http://www.linuxquestions.org/questions/linux-newbie-8/ftp-server-behind-nat-iptables-list-ftp-directories-problem-925254/)

turki_00 01-23-2012 09:42 AM

FTP Server behind NAT (IPtables) List FTP directories Problem
 
Hi,

the FTP server (10.205.13.97) is behind a firewall (NAT).

I can login to the ftp server without any problems from a remote machine. However, I can't list directories (ls) from remote machine. Even passive mode is timed-out.

230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
500 Illegal PORT command
ftp: bind: Address already in use
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (50,17,79,90,251,162).
ftp: connect: Connection timed out
ftp>


I am using Proftpd as the FTP server (Ubuntu).

The IpTables for the firwall box (Ubuntu) was defined as the following (ports 20 & 21 is forwarded):

>echo 1 > /proc/sys/net/ipv4/ip_forward
>iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:ftp to:10.205.13.97:21
DNAT tcp -- anywhere anywhere tcp dpt:ftp-data to:10.205.13.97:20

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

angel115 01-23-2012 10:17 AM

What does your log say? (/var/log/syslog)

turki_00 01-23-2012 10:30 AM

angel115,

the log for which box?
the remote client that I am using the ftp commands with? or
the firewall box logs? or
the ftp box logs?

well, I checked the syslog for all the 3 machines and non of them say any issues about the ftp service (some entries about cron jobs)

turki_00 01-26-2012 09:24 AM

guys any help ?

Cedrik 01-26-2012 10:17 AM

Did you set MasqueradeAddress and PassivePorts in proftpd.conf ?

See:
http://www.proftpd.org/docs/howto/NAT.html

turki_00 02-05-2012 09:44 AM

Found a solution:

modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward

then, configure IpTables:
iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 1024:65535 -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -p tcp -d NatPrivateIp --dport 1024:65535 -j DNAT --to-destination FtpPrivateIp:1024-65535
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j DNAT --to-destination FtpPrivateIp:21
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE [duplicate]

Thank you everyone,
Turki


All times are GMT -5. The time now is 01:22 AM.