FTP server (Windows) behind NAT (IPtables)
I have a linux router (Debian 3.0) with IPtables. I've routed and masked my web-traffic with this configuration beneith (with it I can also access remote ftp's). I have 2 network interfaces.
modprobe iptable_nat iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward I set up my FTP-server on my Windows machine (behind the NAT; 192.168.1.2). I can't access my FTP from the internet or from the local LAN. Please help me solve this! I've read much things, but nothings seems to work. IP-linux-router xx.xxx.xx.xxx IP-FTP-server 192.168.1.2 Port 12345 Internet interface ppp0 Ethernet interface eth0 |
If you cannot even connect to your FTP server from the local Lan (ie ftp 192.168.1.2) then something is wrong with the configuration of your server or your whole network configuration. Having NAT to the internet should have no influence on connections that stay inside your Lan.
For others to be able to connect to your ftp server from outside your Lan, you need to configure the router to forward incoming connections from the inet on ports 20 and 21 to your ftp server. This could be done like the following: First you need to accept incoming connections on these ports: Code:
iptables -A INPUT -i ppp0 -p tcp --destination-port 20 -m state --state NEW -j ACCEPT Code:
iptables -t nat -A PREROUTING -i ppp0 -p tcp --destination-port 20 -j DNAT --to-destination 192.168.1.2 Good luck! |
Well I tried it and it doesn't work. But I can access my FTP from my LAN, so my FTP-server works. Somehow the data isn't forwarded properly.
I even tried to change the ports 20 and 21 to 12345, but that wouldn't help either. I want to use the port 12345 for everyone to connect to my FTP. HELP!!!!! |
There could be a number of reasons for this. For example the firewall on the ftp server (not the router) could drop incoming connections from outside the Lan. Or the ftp daemon itself denies them. Maybe the ftpd actually accepts the connections but they get blocked on the way out?
Try running tcpdump on the ftp server box and see if the connections from outside do actually reach the server. If not then the problem seems to (but doesn't have to) lie with the router. If they do reach the server machine but no connection is established, check your ftpd/firewall config. Also check /var/log/messages on both machines for any hints. We need to localize the problem before we can do anything about it. Also try thinking of other ways of testing at which point exactly the connection attempts die. Post any results here! ;) |
if you want to use ftp(or irc) through nat then you need the modules ip_nat_{ftp|irc} and similarly if your using conntrack you need the modules ip_conntrack_{ftp|irc} make sure the appropriate modules are loaded
|
I can't do a tcpdump etc. because my FTP-server is on my WINDOWS box, behind my LINUX router. But my FTP-server doesn't give any errors when I try to connect (which still doesn't work)
Even with ip_nat_ftp and ip_conntrack_ftp loaded, it won't work. I think that the forwarding from my linux-box to my windows-box is somehow screwed. Because the incoming connection on my linux box (incoming from ppp0, port 12345) needs to be forwarded to my windows box (outgoing to eth0, port 12345, IP 192.168.1.2) Could it be that I need some synthax for IPtables like this: (doesn't work) iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp -d $INT_IP --dport 21 -j ACCEPT iptables -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -s $INT_IP --sport 21 -j ACCEPT iptables -A PREROUTING -t nat -p tcp -d $EXT_IP -i $EXT_IF --dport 21 -j DNAT --to 172.16.0.1 iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp -d $INT_IP --dport 1024:65535 --sport 1024:65535 -j ACCEPT iptables -A FORWARD -o $EXT_IF -i $INT_IF -p tcp -s $INT_IP --dport 1024:65535 --sport 1024:65535 -j ACCEPT |
SWAT, are you trying to connect using active mode or passive mode?
|
I'm trying to use both
|
So, 192.168.2.1 is listening on port 12345?
Try this: a. Make 192.168.2.1 liste on port 21 (default) In fact there are two ports needed for FTP: 21 and 20. b. Write your rules like this: iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp -d $INT_IP --dport 21 -j ACCEPT iptables -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -s $INT_IP --sport 21 -j ACCEPT iptables -A PREROUTING -t nat -p tcp -d $EXT_IP -i $EXT_IF --dport 21 -j DNAT --to $INT_IP iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp -d $INT_IP --dport 20 -j ACCEPT iptables -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -s $INT_IP --sport 20 -j ACCEPT iptables -A PREROUTING -t nat -p tcp -d $EXT_IP -i $EXT_IF --dport 20 -j DNAT --to $INT_IP iptables -t nat -A POSTROUTING -s $INT_IP -j SNAT --to-source $EXT_IP c. Also the Windows box must have the Linux box as gateway. d. Try it on your $EXT_IP port 21 and only active mode. If this works, then we can go on on enabling port 12345 |
DAMMIT, it still doesn't work!!!!
This is what I get when I do 'iptables -L' Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere 192.168.1.2 tcp dpt:ftp ACCEPT tcp -- 192.168.1.2 anywhere tcp spt:ftp ACCEPT tcp -- anywhere 192.168.1.2 tcp dpt:ftp-data ACCEPT tcp -- 192.168.1.2 anywhere tcp spt:ftp-data Chain OUTPUT (policy ACCEPT) target prot opt source destination This is what I get from my FTP client Connecting to 80.100.68.159 Connected to 80.100.68.159 -> IP=80.100.68.159 PORT=21 Connection failed (Connection lost) |
Ow yeah, and with my standard configuration (for plain NAT):
modprobe iptable_nat iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward I can only acces external FTP's (like Gentoo or Debian) ONLY in passive mode. When I use active mode I get errors like the two below: 500 Illegal PORT Command 500 Can't build data connection: no PORT specified |
All times are GMT -5. The time now is 07:10 PM. |