LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 01-06-2004, 01:03 PM   #1
SWAT
Member
 
Registered: Aug 2003
Posts: 36

Rep: Reputation: 15
FTP server (Windows) behind NAT (IPtables)


I have a linux router (Debian 3.0) with IPtables. I've routed and masked my web-traffic with this configuration beneith (with it I can also access remote ftp's). I have 2 network interfaces.
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward


I set up my FTP-server on my Windows machine (behind the NAT; 192.168.1.2). I can't access my FTP from the internet or from the local LAN. Please help me solve this! I've read much things, but nothings seems to work.

IP-linux-router xx.xxx.xx.xxx
IP-FTP-server 192.168.1.2
Port 12345
Internet interface ppp0
Ethernet interface eth0
 
Old 01-06-2004, 04:55 PM   #2
gundelgauk
Member
 
Registered: Jul 2003
Distribution: Gentoo
Posts: 168

Rep: Reputation: 30
If you cannot even connect to your FTP server from the local Lan (ie ftp 192.168.1.2) then something is wrong with the configuration of your server or your whole network configuration. Having NAT to the internet should have no influence on connections that stay inside your Lan.

For others to be able to connect to your ftp server from outside your Lan, you need to configure the router to forward incoming connections from the inet on ports 20 and 21 to your ftp server.

This could be done like the following:

First you need to accept incoming connections on these ports:
Code:
iptables -A INPUT -i ppp0 -p tcp --destination-port 20 -m state --state NEW -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --destination-port 21 -m state --state NEW -j ACCEPT
Then you need to translate the connections' destination addresses (from your router's ppp0 to your ftp server's eth0) and forward them to your ftp server:
Code:
iptables -t nat -A PREROUTING -i ppp0 -p tcp --destination-port 20 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -i ppp0 -p tcp --destination-port 21 -j DNAT --to-destination 192.168.1.2
I have not tested this but to my knowledge it should work. Anyone pls feel free to correct or supplement me. If you do not understand what these iptables lines do then consult man iptables or any iptables/nat howto on the web.


Good luck!
 
Old 01-07-2004, 06:07 AM   #3
SWAT
Member
 
Registered: Aug 2003
Posts: 36

Original Poster
Rep: Reputation: 15
Well I tried it and it doesn't work. But I can access my FTP from my LAN, so my FTP-server works. Somehow the data isn't forwarded properly.
I even tried to change the ports 20 and 21 to 12345, but that wouldn't help either. I want to use the port 12345 for everyone to connect to my FTP.
HELP!!!!!
 
Old 01-07-2004, 09:18 AM   #4
gundelgauk
Member
 
Registered: Jul 2003
Distribution: Gentoo
Posts: 168

Rep: Reputation: 30
There could be a number of reasons for this. For example the firewall on the ftp server (not the router) could drop incoming connections from outside the Lan. Or the ftp daemon itself denies them. Maybe the ftpd actually accepts the connections but they get blocked on the way out?

Try running tcpdump on the ftp server box and see if the connections from outside do actually reach the server. If not then the problem seems to (but doesn't have to) lie with the router. If they do reach the server machine but no connection is established, check your ftpd/firewall config. Also check /var/log/messages on both machines for any hints. We need to localize the problem before we can do anything about it.

Also try thinking of other ways of testing at which point exactly the connection attempts die.

Post any results here!
 
Old 01-07-2004, 10:04 AM   #5
kev82
Senior Member
 
Registered: Apr 2003
Location: Lancaster, England
Distribution: Debian Etch, OS X 10.4
Posts: 1,263

Rep: Reputation: 50
if you want to use ftp(or irc) through nat then you need the modules ip_nat_{ftp|irc} and similarly if your using conntrack you need the modules ip_conntrack_{ftp|irc} make sure the appropriate modules are loaded
 
Old 01-07-2004, 01:28 PM   #6
SWAT
Member
 
Registered: Aug 2003
Posts: 36

Original Poster
Rep: Reputation: 15
I can't do a tcpdump etc. because my FTP-server is on my WINDOWS box, behind my LINUX router. But my FTP-server doesn't give any errors when I try to connect (which still doesn't work)
Even with ip_nat_ftp and ip_conntrack_ftp loaded, it won't work. I think that the forwarding from my linux-box to my windows-box is somehow screwed. Because the incoming connection on my linux box (incoming from ppp0, port 12345) needs to be forwarded to my windows box (outgoing to eth0, port 12345, IP 192.168.1.2)
Could it be that I need some synthax for IPtables like this: (doesn't work)
iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp -d $INT_IP --dport 21 -j ACCEPT
iptables -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -s $INT_IP --sport 21 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d $EXT_IP -i $EXT_IF --dport 21 -j DNAT --to 172.16.0.1
iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp -d $INT_IP --dport 1024:65535 --sport 1024:65535 -j ACCEPT
iptables -A FORWARD -o $EXT_IF -i $INT_IF -p tcp -s $INT_IP --dport 1024:65535 --sport 1024:65535 -j ACCEPT
 
Old 01-07-2004, 01:34 PM   #7
clau_bolson
Member
 
Registered: Nov 2003
Location: Argentina
Distribution: Debian Sarge
Posts: 52

Rep: Reputation: 15
SWAT, are you trying to connect using active mode or passive mode?
 
Old 01-08-2004, 05:02 AM   #8
SWAT
Member
 
Registered: Aug 2003
Posts: 36

Original Poster
Rep: Reputation: 15
I'm trying to use both
 
Old 01-08-2004, 06:33 AM   #9
clau_bolson
Member
 
Registered: Nov 2003
Location: Argentina
Distribution: Debian Sarge
Posts: 52

Rep: Reputation: 15
So, 192.168.2.1 is listening on port 12345?
Try this:

a. Make 192.168.2.1 liste on port 21 (default)
In fact there are two ports needed for FTP: 21 and 20.

b. Write your rules like this:
iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp -d $INT_IP --dport 21 -j ACCEPT
iptables -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -s $INT_IP --sport 21 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d $EXT_IP -i $EXT_IF --dport 21 -j DNAT --to $INT_IP
iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp -d $INT_IP --dport 20 -j ACCEPT
iptables -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -s $INT_IP --sport 20 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d $EXT_IP -i $EXT_IF --dport 20 -j DNAT --to $INT_IP
iptables -t nat -A POSTROUTING -s $INT_IP -j SNAT --to-source $EXT_IP

c. Also the Windows box must have the Linux box as gateway.

d. Try it on your $EXT_IP port 21 and only active mode.

If this works, then we can go on on enabling port 12345
 
Old 01-08-2004, 12:40 PM   #10
SWAT
Member
 
Registered: Aug 2003
Posts: 36

Original Poster
Rep: Reputation: 15
DAMMIT, it still doesn't work!!!!
This is what I get when I do 'iptables -L'
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.1.2 tcp dpt:ftp
ACCEPT tcp -- 192.168.1.2 anywhere tcp spt:ftp
ACCEPT tcp -- anywhere 192.168.1.2 tcp dpt:ftp-data
ACCEPT tcp -- 192.168.1.2 anywhere tcp spt:ftp-data

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


This is what I get from my FTP client
Connecting to 80.100.68.159
Connected to 80.100.68.159 -> IP=80.100.68.159 PORT=21
Connection failed (Connection lost)
 
Old 01-08-2004, 12:54 PM   #11
SWAT
Member
 
Registered: Aug 2003
Posts: 36

Original Poster
Rep: Reputation: 15
Ow yeah, and with my standard configuration (for plain NAT):
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward


I can only acces external FTP's (like Gentoo or Debian) ONLY in passive mode. When I use active mode I get errors like the two below:
500 Illegal PORT Command
500 Can't build data connection: no PORT specified
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables and passive ftp behind NAT radix Linux - Security 7 10-21-2003 02:06 PM
iptables and passive FTP behind the nat radix Linux - Security 5 09-16-2003 07:14 PM
ftp server behind nat alansk Linux - Networking 2 07-17-2003 01:31 AM
ftp server behind NAT bax Linux - Networking 6 03-04-2003 09:41 PM
iptables, NAT and FTP cestor Linux - Security 10 01-04-2002 09:57 AM


All times are GMT -5. The time now is 02:28 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration