Forwarding FTP ports
Fri, 21 Dec 2001 14:31:57 -0500
This is the incoming part of what I had to do to get it and ftp daemon
working on the firewall:
# ACCEPT active FTP data connections
$INPUT -m state --state ESTABLISHED,RELATED -i $EXT_IFACE \
-p tcp -d $IP --dport ftp-data --sport 1024: \
# ACCEPT passive FTP data connections
$INPUT -m state --state RELATED -i $EXT_IFACE \
-p tcp -d $IP --dport 1024: --sport 1024: \
Note that passive FTP is to a high dport - so at the least I think you'll
have to forward those high ports to your internal server, which will be
easiest if it has a unique external IP. Not sure why active would be failing
for you though
On Fri, Dec 21, 2001 at 10:54:43AM -0800, Roger Haskins wrote:
> Just when I think I've gotten port forwarding down then I run into a snag :)
> I'm trying to forward ftp to a machine behind the firewall.
> >From the DMZ and LAN side the forwarding works perfectly but from the outside it doesn't.
> Here's what I have
> $IPT -t nat -A PREROUTING -p TCP -d $WANIP --dport 20 -j DNAT --to-destination $FTPIP:20
> $IPT -t nat -A PREROUTING -p TCP -d $WANIP --dport 21 -j DNAT --to-destination $FTPIP:21
> $IPT -A FORWARD -p TCP -d $FTPIP --dport 20 -j ACCEPT
> $IPT -A FORWARD -p TCP -s $WORLD --sport 20 -j ACCEPT
> $IPT -A FORWARD -p TCP -d $FTPIP --dport 21 -j ACCEPT
> $IPT -A FORWARD -p TCP -s $WORLD --sport 21 -j ACCEPT
> And I have all these sames rules inplace for UDP as well.
> When an FTP comes in from the outside, I can log in but when I do an ls it
> goes into passive mode which on the DMZ/LAN side it doesn't.
> What am I missing? I have similiar rules for smtp and pop3 forwarding which work perfectly.
> BTW, once I get the rules working then I'll add checks for the state it is in.