LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   FTP server (Windows) behind NAT (IPtables) (http://www.linuxquestions.org/questions/linux-newbie-8/ftp-server-windows-behind-nat-iptables-132104/)

SWAT 01-06-2004 02:03 PM

FTP server (Windows) behind NAT (IPtables)
 
I have a linux router (Debian 3.0) with IPtables. I've routed and masked my web-traffic with this configuration beneith (with it I can also access remote ftp's). I have 2 network interfaces.
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward


I set up my FTP-server on my Windows machine (behind the NAT; 192.168.1.2). I can't access my FTP from the internet or from the local LAN. Please help me solve this! I've read much things, but nothings seems to work.

IP-linux-router xx.xxx.xx.xxx
IP-FTP-server 192.168.1.2
Port 12345
Internet interface ppp0
Ethernet interface eth0

gundelgauk 01-06-2004 05:55 PM

If you cannot even connect to your FTP server from the local Lan (ie ftp 192.168.1.2) then something is wrong with the configuration of your server or your whole network configuration. Having NAT to the internet should have no influence on connections that stay inside your Lan.

For others to be able to connect to your ftp server from outside your Lan, you need to configure the router to forward incoming connections from the inet on ports 20 and 21 to your ftp server.

This could be done like the following:

First you need to accept incoming connections on these ports:
Code:

iptables -A INPUT -i ppp0 -p tcp --destination-port 20 -m state --state NEW -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --destination-port 21 -m state --state NEW -j ACCEPT

Then you need to translate the connections' destination addresses (from your router's ppp0 to your ftp server's eth0) and forward them to your ftp server:
Code:

iptables -t nat -A PREROUTING -i ppp0 -p tcp --destination-port 20 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i ppp0 -p tcp --destination-port 21 -j DNAT --to-destination 192.168.1.2

I have not tested this but to my knowledge it should work. Anyone pls feel free to correct or supplement me. If you do not understand what these iptables lines do then consult man iptables or any iptables/nat howto on the web.


Good luck!

SWAT 01-07-2004 07:07 AM

Well I tried it and it doesn't work. But I can access my FTP from my LAN, so my FTP-server works. Somehow the data isn't forwarded properly.
I even tried to change the ports 20 and 21 to 12345, but that wouldn't help either. I want to use the port 12345 for everyone to connect to my FTP.
HELP!!!!!

gundelgauk 01-07-2004 10:18 AM

There could be a number of reasons for this. For example the firewall on the ftp server (not the router) could drop incoming connections from outside the Lan. Or the ftp daemon itself denies them. Maybe the ftpd actually accepts the connections but they get blocked on the way out?

Try running tcpdump on the ftp server box and see if the connections from outside do actually reach the server. If not then the problem seems to (but doesn't have to) lie with the router. If they do reach the server machine but no connection is established, check your ftpd/firewall config. Also check /var/log/messages on both machines for any hints. We need to localize the problem before we can do anything about it.

Also try thinking of other ways of testing at which point exactly the connection attempts die.

Post any results here! ;)

kev82 01-07-2004 11:04 AM

if you want to use ftp(or irc) through nat then you need the modules ip_nat_{ftp|irc} and similarly if your using conntrack you need the modules ip_conntrack_{ftp|irc} make sure the appropriate modules are loaded

SWAT 01-07-2004 02:28 PM

I can't do a tcpdump etc. because my FTP-server is on my WINDOWS box, behind my LINUX router. But my FTP-server doesn't give any errors when I try to connect (which still doesn't work)
Even with ip_nat_ftp and ip_conntrack_ftp loaded, it won't work. I think that the forwarding from my linux-box to my windows-box is somehow screwed. Because the incoming connection on my linux box (incoming from ppp0, port 12345) needs to be forwarded to my windows box (outgoing to eth0, port 12345, IP 192.168.1.2)
Could it be that I need some synthax for IPtables like this: (doesn't work)
iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp -d $INT_IP --dport 21 -j ACCEPT
iptables -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -s $INT_IP --sport 21 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d $EXT_IP -i $EXT_IF --dport 21 -j DNAT --to 172.16.0.1
iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp -d $INT_IP --dport 1024:65535 --sport 1024:65535 -j ACCEPT
iptables -A FORWARD -o $EXT_IF -i $INT_IF -p tcp -s $INT_IP --dport 1024:65535 --sport 1024:65535 -j ACCEPT

clau_bolson 01-07-2004 02:34 PM

SWAT, are you trying to connect using active mode or passive mode?

SWAT 01-08-2004 06:02 AM

I'm trying to use both

clau_bolson 01-08-2004 07:33 AM

So, 192.168.2.1 is listening on port 12345?
Try this:

a. Make 192.168.2.1 liste on port 21 (default)
In fact there are two ports needed for FTP: 21 and 20.

b. Write your rules like this:
iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp -d $INT_IP --dport 21 -j ACCEPT
iptables -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -s $INT_IP --sport 21 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d $EXT_IP -i $EXT_IF --dport 21 -j DNAT --to $INT_IP
iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp -d $INT_IP --dport 20 -j ACCEPT
iptables -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -s $INT_IP --sport 20 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d $EXT_IP -i $EXT_IF --dport 20 -j DNAT --to $INT_IP
iptables -t nat -A POSTROUTING -s $INT_IP -j SNAT --to-source $EXT_IP

c. Also the Windows box must have the Linux box as gateway.

d. Try it on your $EXT_IP port 21 and only active mode.

If this works, then we can go on on enabling port 12345

SWAT 01-08-2004 01:40 PM

DAMMIT, it still doesn't work!!!!
This is what I get when I do 'iptables -L'
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.1.2 tcp dpt:ftp
ACCEPT tcp -- 192.168.1.2 anywhere tcp spt:ftp
ACCEPT tcp -- anywhere 192.168.1.2 tcp dpt:ftp-data
ACCEPT tcp -- 192.168.1.2 anywhere tcp spt:ftp-data

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


This is what I get from my FTP client
Connecting to 80.100.68.159
Connected to 80.100.68.159 -> IP=80.100.68.159 PORT=21
Connection failed (Connection lost)

SWAT 01-08-2004 01:54 PM

Ow yeah, and with my standard configuration (for plain NAT):
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward


I can only acces external FTP's (like Gentoo or Debian) ONLY in passive mode. When I use active mode I get errors like the two below:
500 Illegal PORT Command
500 Can't build data connection: no PORT specified


All times are GMT -5. The time now is 03:11 AM.