Proxy FTP behind linux firewall using iptables
I may just be Googling this wrong, but here goes: I have an ProFTPd server on a private network. I want to proxy it behind a linux firewall server that's connected to the Internet using iptables.
Firewall (CentOS 6.3)
bond0: 10.0.0.1/24 (Private-facing if)
bond1: 2.2.2.2/24 (Public-facing if)
FTP Server (CentOS 5.4)
eth0: 10.0.0.10/24 (Private-facing if)
/etc/proftpd.conf
...
Port 21
PassivePorts 60000 65535
MasqueradeAddress 2.2.2.2
...
I can get Active FTP working using HAProxy, but Passive FTP is a no go. Here's what I've tried so far on the firewall server:
iptables -t nat -A POSTROUTING -s 10.0.0.10/32 -o bond1 -j SNAT --to-source 2.2.2.2
iptables -t nat -A PREROUTING -d 2.2.2.2/32 -i bond1 -p tcp -m tcp --dport 60000:65535 -j DNAT --to-destination 10.0.0.10
When I connect to 2.2.2.2 with ftp, I can log in, but I can't get data to transfer. Example output:
220 FTP Server ready.
331 Password required for crinis
Password:
230 User crinis logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||63627|)
ftp: Can't connect to `2.2.2.2': Connection refused
500 Illegal PORT command
421 Service not available, remote server has closed connection.
ftp>
I have seen some discussion on loading ip_nat_ftp and ip_conntrack_ip, but enabling those on either or both hosts has no effect.
If it's relevant, the following iptable rules are already in place for HAProxy
iptables -A FORWARD -i bond0 -j ACCEPT
iptables -A FORWARD -o bond0 -j ACCEPT
iptables -t nat -A POSTROUTING -o bond1 -j MASQUERADE
Also, Active FTP with iptables instead of HAProxy would be a plus. Thanks!
|