LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-15-2013, 04:51 PM   #1
Crinisulla
LQ Newbie
 
Registered: Aug 2009
Distribution: Ubuntu, CentOS
Posts: 4

Rep: Reputation: 0
Proxy FTP behind linux firewall using iptables


I may just be Googling this wrong, but here goes: I have an ProFTPd server on a private network. I want to proxy it behind a linux firewall server that's connected to the Internet using iptables.

Firewall (CentOS 6.3)
bond0: 10.0.0.1/24 (Private-facing if)
bond1: 2.2.2.2/24 (Public-facing if)

FTP Server (CentOS 5.4)
eth0: 10.0.0.10/24 (Private-facing if)

/etc/proftpd.conf
...
Port 21
PassivePorts 60000 65535
MasqueradeAddress 2.2.2.2
...

I can get Active FTP working using HAProxy, but Passive FTP is a no go. Here's what I've tried so far on the firewall server:
iptables -t nat -A POSTROUTING -s 10.0.0.10/32 -o bond1 -j SNAT --to-source 2.2.2.2
iptables -t nat -A PREROUTING -d 2.2.2.2/32 -i bond1 -p tcp -m tcp --dport 60000:65535 -j DNAT --to-destination 10.0.0.10

When I connect to 2.2.2.2 with ftp, I can log in, but I can't get data to transfer. Example output:
220 FTP Server ready.
331 Password required for crinis
Password:
230 User crinis logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||63627|)
ftp: Can't connect to `2.2.2.2': Connection refused
500 Illegal PORT command
421 Service not available, remote server has closed connection.
ftp>

I have seen some discussion on loading ip_nat_ftp and ip_conntrack_ip, but enabling those on either or both hosts has no effect.

If it's relevant, the following iptable rules are already in place for HAProxy
iptables -A FORWARD -i bond0 -j ACCEPT
iptables -A FORWARD -o bond0 -j ACCEPT
iptables -t nat -A POSTROUTING -o bond1 -j MASQUERADE

Also, Active FTP with iptables instead of HAProxy would be a plus. Thanks!
 
Old 01-15-2013, 05:00 PM   #2
Kustom42
Senior Member
 
Registered: Mar 2012
Distribution: Red Hat
Posts: 1,604

Rep: Reputation: 413Reputation: 413Reputation: 413Reputation: 413Reputation: 413
Well I have never attempted but I think your problem here is the way a passive data connection is established with passive ftp.

When working at a Web Hosting company we ran into a similar issue with a new network config and implemented the ip_conntrack and ip_conntrack_ftp modules. A nifty little article was written up about it here:

http://www.cyberciti.biz/faq/iptable...s-not-working/

On a side note, we would quite commonly lose connections and would have to modprobe the ip_conntrack_ftp module from time to time and reload it. Not sure why but it would happen.
 
1 members found this post helpful.
Old 01-15-2013, 11:16 PM   #3
Crinisulla
LQ Newbie
 
Registered: Aug 2009
Distribution: Ubuntu, CentOS
Posts: 4

Original Poster
Rep: Reputation: 0
Ha ha! I solved it. I was googling the wrong problem. "FTP NAT IPTABLES" were the criteria I should have been using. For further information, here's the solution, all executed on the firewwall side. This solution also eliminates the need to use HAProxy for FTP Active.

ipt=/sbin/iptables
fwextip=2.2.2.2
ftpprivip=10.0.0.10
fwextif=bond1
fwintif=bond0
$ipt -t nat -A PREROUTING -i $fwextif -p tcp -d $fwextip --dport 60000:65535 -j DNAT --to-destination $ftpprivip:60000-65535
$ipt -t nat -A PREROUTING -i $fwextif -p tcp --dport 21 -j DNAT --to-destination $ftpprivip:21
$ipt -t nat -A POSTROUTING -o $fwintif -j MASQUERADE

I am very happy. Thanks Kustom42!
 
Old 05-21-2013, 04:21 PM   #4
Crinisulla
LQ Newbie
 
Registered: Aug 2009
Distribution: Ubuntu, CentOS
Posts: 4

Original Poster
Rep: Reputation: 0
I need to amend this solution to include two import things.
1) Don't forget to do this on the firewall (put it in /etc/rc.local so it's automatic)
modprobe ip_nat_ftp

2) save your iptables config
service iptables save
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP Access Through IPTABLES Firewall SlowCoder Linux - Security 1 04-12-2007 03:32 PM
how to make iptables firewall ruls for squide proxy AZIMBD03 Linux - Security 1 03-22-2004 11:12 AM
Firewall - iptables - ftp connections cubee Linux - Security 22 01-29-2004 10:12 AM
Iptables Firewall & Proxy Server chrisfirestar Linux - Security 22 12-22-2003 09:30 AM


All times are GMT -5. The time now is 10:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration