Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 01-15-2013, 04:51 PM   #1
LQ Newbie
Registered: Aug 2009
Distribution: Ubuntu, CentOS
Posts: 4

Rep: Reputation: 0
Proxy FTP behind linux firewall using iptables

I may just be Googling this wrong, but here goes: I have an ProFTPd server on a private network. I want to proxy it behind a linux firewall server that's connected to the Internet using iptables.

Firewall (CentOS 6.3)
bond0: (Private-facing if)
bond1: (Public-facing if)

FTP Server (CentOS 5.4)
eth0: (Private-facing if)

Port 21
PassivePorts 60000 65535

I can get Active FTP working using HAProxy, but Passive FTP is a no go. Here's what I've tried so far on the firewall server:
iptables -t nat -A POSTROUTING -s -o bond1 -j SNAT --to-source
iptables -t nat -A PREROUTING -d -i bond1 -p tcp -m tcp --dport 60000:65535 -j DNAT --to-destination

When I connect to with ftp, I can log in, but I can't get data to transfer. Example output:
220 FTP Server ready.
331 Password required for crinis
230 User crinis logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||63627|)
ftp: Can't connect to `': Connection refused
500 Illegal PORT command
421 Service not available, remote server has closed connection.

I have seen some discussion on loading ip_nat_ftp and ip_conntrack_ip, but enabling those on either or both hosts has no effect.

If it's relevant, the following iptable rules are already in place for HAProxy
iptables -A FORWARD -i bond0 -j ACCEPT
iptables -A FORWARD -o bond0 -j ACCEPT
iptables -t nat -A POSTROUTING -o bond1 -j MASQUERADE

Also, Active FTP with iptables instead of HAProxy would be a plus. Thanks!
Old 01-15-2013, 05:00 PM   #2
Senior Member
Registered: Mar 2012
Distribution: Red Hat
Posts: 1,604

Rep: Reputation: 415Reputation: 415Reputation: 415Reputation: 415Reputation: 415
Well I have never attempted but I think your problem here is the way a passive data connection is established with passive ftp.

When working at a Web Hosting company we ran into a similar issue with a new network config and implemented the ip_conntrack and ip_conntrack_ftp modules. A nifty little article was written up about it here:

On a side note, we would quite commonly lose connections and would have to modprobe the ip_conntrack_ftp module from time to time and reload it. Not sure why but it would happen.
1 members found this post helpful.
Old 01-15-2013, 11:16 PM   #3
LQ Newbie
Registered: Aug 2009
Distribution: Ubuntu, CentOS
Posts: 4

Original Poster
Rep: Reputation: 0
Ha ha! I solved it. I was googling the wrong problem. "FTP NAT IPTABLES" were the criteria I should have been using. For further information, here's the solution, all executed on the firewwall side. This solution also eliminates the need to use HAProxy for FTP Active.

$ipt -t nat -A PREROUTING -i $fwextif -p tcp -d $fwextip --dport 60000:65535 -j DNAT --to-destination $ftpprivip:60000-65535
$ipt -t nat -A PREROUTING -i $fwextif -p tcp --dport 21 -j DNAT --to-destination $ftpprivip:21
$ipt -t nat -A POSTROUTING -o $fwintif -j MASQUERADE

I am very happy. Thanks Kustom42!
Old 05-21-2013, 04:21 PM   #4
LQ Newbie
Registered: Aug 2009
Distribution: Ubuntu, CentOS
Posts: 4

Original Poster
Rep: Reputation: 0
I need to amend this solution to include two import things.
1) Don't forget to do this on the firewall (put it in /etc/rc.local so it's automatic)
modprobe ip_nat_ftp

2) save your iptables config
service iptables save


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP Access Through IPTABLES Firewall SlowCoder Linux - Security 1 04-12-2007 03:32 PM
how to make iptables firewall ruls for squide proxy AZIMBD03 Linux - Security 1 03-22-2004 11:12 AM
Firewall - iptables - ftp connections cubee Linux - Security 22 01-29-2004 10:12 AM
Iptables Firewall & Proxy Server chrisfirestar Linux - Security 22 12-22-2003 09:30 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:04 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration