Hi ,

Iam relatively new to Linux . Iam trying to do a Natting for the following scenario .

My SETUP has a client ( A ) which is a Linux machine, an Intermediate gateway (B ) which is also supposed to be a Linux box and an FTP server (C) .
I have a firewall in place in my FTP server i.e C which says it could receive
FTP Connection only from B (The intermediate Gateway) . So Inorder to make my client A to do a FTP to Server C , I wrote a set of NAT rules on all the three machines .

Pls Note : My setup is such that all the FTP traffic that Client A generates will be forwarded to only B .

FTP Request from A to C :

eth0A eth0B eth1B eth0C
A ----------------------> B ------------------------> C

eth0A --- 10.0.0.2
eth0B --- 10.0.0.1
eth1B --- 20.0.0.1
eth0C --- 20.0.0.2


MY NAT RULES on A :

iptables -t nat -A POSTROUTING -p tcp -s 10.0.0.2 --dport 21 -o eth0 -j SNAT --to 10.0.0.2:8075

NAT RULE on B :

iptables -t nat -A POSTROUTING -p tcp -s 10.0.0.2 --sport 8075 -o eth1 -j SNAT --to 10.0.0.1:32000

iptables -t nat -A POSTROUTING -p tcp -s 10.0.0.2 --sport 8076 -o eth1 -j SNAT --to 10.0.0.1:33000

iptables -t nat -A OUTPUT -p tcp -d 10.0.0.1 --dport 32000 -o eth0 -j DNAT --to 10.0.0.2:8075
iptables -t nat -A OUTPUT -p tcp -d 10.0.0.1 --dport 33000 -o eth0 -j DNAT --to 10.0.0.2:8076


So After writing this rules I could initiate FTP connection to C from Both A and B . But unfortunately here is the problem I face . I couldn't establish
FTP data Connection (neither Active nor passive ) from A to C thought from B to C its possible .

Its says FTP Error: 500 Illegal PORT Command . So I couldn't do any data transfer from my FTP server C to client A . I hope all the Nat rules I have written were correct .

BTW if my understanding is right ,if it's an active FTP data server initiates the Data connection channel . So the ultimate stand off is by the time the packet reaches B , we couldn't find for which client ( A or B ) , the traffic is destined to . So Iam clearly confused how to make my FTP from A to C work.

I desperately need help in this regard .
Thanks in Advance .

Regards ,
Rajasekaran .

I'm really not sure why you are trying to do it that way, in fact I'm not quite sure what you were trying to do at all. There shouldn't be any need to have such a complex NATing scheme. To start, do A and C have general connectivity (can A ping C)? Are you doing any other kind of NATing like SNAT/masquerading ?

Hi Buddy ,

Sorry if Iam not clear . A & C are connected via B thru crossover cable , so eventually A could ping C and vice-versa .

Let me put this way .Iam trying to establish a FTP session from A to C and C has some sort of rule saying that I'll get FTP traffic only from B .

So any connection ( which includes FTP ) with A as source and C as destination should go only thru B right ??

So as u rightly pointed out I shud make some sort of masquerading on FTP packets that originates from A , which makes C beleive that all the FTP transaction it receives only originates from B and not A , but still i shud able to establish an FTP session from A --> C . Hope Iam clear by atleast now .

So ultimately Iam trying to sneak in the firewall of C to establish a illegitimate connection to A .

Is tht possible using NAT ?? IF yes then how or if no is there anyother way around ??

Regards
Raj