Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 12-27-2017, 03:31 PM   #1
LQ Newbie
Registered: Dec 2017
Location: Italy
Distribution: Ubuntu
Posts: 3

Rep: Reputation: Disabled
Question FTP Active mode and NAT with private addressing (AWS)


I have an FTP client trying to connect in ftp active mode to some ftp servers located on the Internet.
The FTP client has private address, and is behind a NAT server.

This NAT server has private address too, and is itself behind a "global" NAT/routing service.

FTP client ( --> 1st NAT server ( --> Global NAT (Public IP) --> Internet --> Firewall/NAT --> FTP Server(s)

I can control the 1st NAT server and currently it's a Linux server with masquerading.
I have no access to the "global" NAT/routing service.
I do know the public static IP that it's eventually assigned to my first NAT server.

With Active-FTP (port mode), this is not working.
I already activated CT FTP helper (nf_nat_ftp) with its enabling iptables rule:
iptables -A PREROUTING -t raw -p tcp --sport 1024: --dport 21 -j CT --helper ftp
and I can see that the "PORT" command is being correctly translated from the private IP address of FTP client to the private IP Address of the 1st NAT server.

Unfortunately, of course, this cannot work end to end, because the FTP Server receives the PORT command still with a private address
and it's not smart enough to recognize this and connect back to the public IP of the FTP control flow (like filezilla server instead does, for example).
So the ftp data connection, initiated from the ftp server, of course never reaches my public ip (let alone the ftp client).

Now to the question.
Is there any way to let the NF_NAT_FTP module translate the PORT command with the PUBLIC IP, instead of the private one ?
Maybe assigning a "fake" interface with the public IP and forcing route back to private and toggling the module on/off in-between?
Or maybe there's some option of the kernel module I'm not aware of ? (I know only the "ports" option).

BTW: I am on Amazon AWS:
- the ftp client is a windows server
- the 1st nat server is a Amazon Linux NAT instance (kernel 4.9.x)
- the "global" nat/router is the VPC Internet GW

Before you suggest it: no, unfortunately I cannot change the FTP client, it's a custom application I cannot change.

Thank you.

Old 12-29-2017, 09:01 AM   #2
LQ Newbie
Registered: Dec 2017
Location: Italy
Distribution: Ubuntu
Posts: 3

Original Poster
Rep: Reputation: Disabled
I found a partially working solution, and posted it here:


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
how to do FTP Active mode? webb.ryan Linux - Networking 5 08-08-2011 10:02 AM
how to do FTP Active mode? webb.ryan Linux - Server 2 08-06-2011 03:43 AM
ftp - active or passive mode kshkid Programming 1 02-15-2008 10:27 PM
Anyone knows how to use FTP PORT mode via NAT? CleonII Linux - Networking 3 04-18-2005 10:00 AM
vmware active ftp problems (nat) tumnus Linux - Newbie 0 02-10-2003 02:33 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:01 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration