Forwarding FTP ports

Whit Blauvelt whit@transpect.com
Fri, 21 Dec 2001 14:31:57 -0500 

This is the incoming part of what I had to do to get it and ftp daemon
working on the firewall:

   # ACCEPT active FTP data connections
   $INPUT -m state --state ESTABLISHED,RELATED -i $EXT_IFACE \
     -p tcp -d $IP --dport ftp-data --sport 1024: \
     -j ACCEPT

   # ACCEPT passive FTP data connections
   $INPUT -m state --state RELATED -i $EXT_IFACE \
     -p tcp -d $IP --dport 1024: --sport 1024: \
     -j ACCEPT

Note that passive FTP is to a high dport - so at the least I think you'll
have to forward those high ports to your internal server, which will be
easiest if it has a unique external IP. Not sure why active would be failing
for you though

On Fri, Dec 21, 2001 at 10:54:43AM -0800, Roger Haskins wrote:
> 
> Just when I think I've gotten port forwarding down then I run into a snag :)
> 
> I'm trying to forward ftp to a machine behind the firewall.
> 
> >From the DMZ and LAN side the forwarding works perfectly but from the outside it doesn't.
> 
> Here's what I have
> 
> $IPT -t nat -A PREROUTING -p TCP -d $WANIP --dport 20 -j DNAT --to-destination $FTPIP:20
> $IPT -t nat -A PREROUTING -p TCP -d $WANIP --dport 21 -j DNAT --to-destination $FTPIP:21
> $IPT -A FORWARD -p TCP -d $FTPIP --dport 20 -j ACCEPT
> $IPT -A FORWARD -p TCP -s $WORLD --sport 20 -j ACCEPT
> $IPT -A FORWARD -p TCP -d $FTPIP --dport 21 -j ACCEPT
> $IPT -A FORWARD -p TCP -s $WORLD --sport 21 -j ACCEPT
> 
> And I have all these sames rules inplace for UDP as well.
> 
> When an FTP comes in from the outside, I can log in but when I do an ls it
> goes into passive mode which on the DMZ/LAN side it doesn't.
> 
> What am I missing?  I have similiar rules for smtp and pop3 forwarding which work perfectly.
> 
> BTW, once I get the rules working then I'll add checks for the state it is in.
> 
> TIA