-   Linux - Security (
-   -   iptables, NAT and FTP (

cestor 01-03-2002 07:10 PM

iptables, NAT and FTP
I am currently attempting and failing to get the following setup to work.

I have a client behind an iptables firewall which is also source and destination NATting the private address of the client to a real world address.

Providing the forwarding rule is in place, everything works fine -except ftp which establishes the command channel connection but can't do the data channel ( I have tried both PORT and PASV modes) . I ahve the following iptables rule which is meant to allow this but does not:
iptables -I FORWARD -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT

but I see the following being dropped ( is the client):

Jan 4 00:09:14 aaaa kernel: Dropping .. IN=eth1 OUT=eth0 SRC= DST= LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=48217 DF PROTO=TCP SPT=1886 DPT=1168 WINDOW=16384 RES=0x00 SYN URGP=0

Can anyone help?


Mik 01-04-2002 04:54 AM

The easiest it just to use the ip_masq_ftp module instead of trying to forward all the right ports.

Just run: /sbin/modprobe ip_masq_ftp

Most kernels that come with a standard distribution will have this module included.

cestor 01-04-2002 07:04 AM

I have
loaded surely they should do it? - I cannot see the module you mentioned- I am using RedHat 7.2


tvjames 01-04-2002 07:54 AM

so u have a box with net connection
and a box with a private IP running an ftp server?
and u external ftp connections to connect to the private box?

You will need the rule u orinally posted but change the port to the ftp data port ( 20 by defualt and remember to use tcp and udp)

also u will need some rules in your nat table something like

iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to-dest internal ip here

(one line) and need to add the rest for the related ports

tvjames 01-04-2002 07:55 AM

use the
and ip_nat_ftp

cestor 01-04-2002 08:08 AM


1. I am using the ip_conntrack_ftp and ip_nat_ftp as described previously

2. the Linux firewall faces the outside world and the client is on the private network trying to access a public FTP server on the Internet

3. As mentioned previously the nat rules work for all other services

4. With PASV mode FTP, port 20 is not used for data channel- that is only the source for PORT mode FTP

5. FTP data channel is tcp not udp.

Anyone else?

tvjames 01-04-2002 08:12 AM

oh ok sorry

umm then

recompile the kernel with the nat ftp in it (not as a module), all my netfilter stuff is in the kernal (not as module) and then

iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE

works for me and i have never had an ftp problem (PASV or not PASV)

cestor 01-04-2002 08:17 AM

I need to allow incoming connections as well so I am doing NAT as follows:

iptables -t nat -I PREROUTING -d x.x.x.220 -j DNAT --to
iptables -t nat -I POSTROUTING -s -j SNAT --to x.x.x.220

I don't think the problem is nat related but to do with the forwarding rules as all other natted services work.

Mik 01-04-2002 09:20 AM

The module I mentioned is used with ipchains. I suppose it's old and has been replaced by either one of the two you mentioned when using iptables.

I just looked it up and it says you have to load other modules before you load those two. You could get them all running with:

/sbin/insmod ip_conntrack
/sbin/insmod ip_conntrack_ftp

/sbin/insmod iptable_nat
/sbin/insmod ip_nat_ftp

But I assume redhat was already smart enough to do that for you.

The rule you stated in the first message doesn't help much because as far as my knowledge of iptables goes it looks like it's forwarding port 1024.
And if you look at the packet that is dropped it has source port 1886 and destination port 1168. That's the whole thing about ftp which makes it use different ports all the time which makes it hard to masquerade. Those modules are supposed to handle all that for you so you won't need any forwarding rules. All you have to do is make sure those modules work properly. But from the information I have now I can't really see if they are doing anything or not.

If you run lsmod do you actually see them running?

cestor 01-04-2002 10:38 AM

doh! that was it.... I am new to linux and I assumed that they were loaded when I saw the files under the modules directory

A lsmod showed that they were not and modprobe on them means they are now all running and FTP is working.

Thanks for your help.

PS: The iptables syntax means allow all ports above 1024

Mik 01-04-2002 10:57 AM

Oh yeah I guess I overlooked the : on the ports. They've got that in ipchains too so I should have known.
I guess I should start using iptables myself since the syntax is pretty similar and it offers a bunch of extra features. I guess I'll add it to my list of projects to complete on a rainy sunday.

All times are GMT -5. The time now is 11:48 AM.