Proxy FTP behind linux firewall using iptables
I may just be Googling this wrong, but here goes: I have an ProFTPd server on a private network. I want to proxy it behind a linux firewall server that's connected to the Internet using iptables.
Firewall (CentOS 6.3)
bond0: 10.0.0.1/24 (Private-facing if)
bond1: 18.104.22.168/24 (Public-facing if)
FTP Server (CentOS 5.4)
eth0: 10.0.0.10/24 (Private-facing if)
PassivePorts 60000 65535
I can get Active FTP working using HAProxy, but Passive FTP is a no go. Here's what I've tried so far on the firewall server:
iptables -t nat -A POSTROUTING -s 10.0.0.10/32 -o bond1 -j SNAT --to-source 22.214.171.124
iptables -t nat -A PREROUTING -d 126.96.36.199/32 -i bond1 -p tcp -m tcp --dport 60000:65535 -j DNAT --to-destination 10.0.0.10
When I connect to 188.8.131.52 with ftp, I can log in, but I can't get data to transfer. Example output:
220 FTP Server ready.
331 Password required for crinis
230 User crinis logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
229 Entering Extended Passive Mode (|||63627|)
ftp: Can't connect to `184.108.40.206': Connection refused
500 Illegal PORT command
421 Service not available, remote server has closed connection.
I have seen some discussion on loading ip_nat_ftp and ip_conntrack_ip, but enabling those on either or both hosts has no effect.
If it's relevant, the following iptable rules are already in place for HAProxy
iptables -A FORWARD -i bond0 -j ACCEPT
iptables -A FORWARD -o bond0 -j ACCEPT
iptables -t nat -A POSTROUTING -o bond1 -j MASQUERADE
Also, Active FTP with iptables instead of HAProxy would be a plus. Thanks!