Forwarding FTP ports

Roger Haskins rhaskins@merlinsoftech.com
Fri, 21 Dec 2001 11:38:23 -0800 

But isn't the INPUT chain only for services running on the firewall?

That's what was explained to me last week with another issue.  To me, your rules look like the ftp is on the firewall and not on a machine behind it.

After seeing your post earlier, I thought about forwarding the high ports but won't that open extra holes?

On Fri, 21 Dec 2001 14:31:57 -0500
Whit Blauvelt <whit@transpect.com> wrote:

> This is the incoming part of what I had to do to get it and ftp daemon
> working on the firewall:
> 
>    # ACCEPT active FTP data connections
>    $INPUT -m state --state ESTABLISHED,RELATED -i $EXT_IFACE \
>      -p tcp -d $IP --dport ftp-data --sport 1024: \
>      -j ACCEPT
> 
>    # ACCEPT passive FTP data connections
>    $INPUT -m state --state RELATED -i $EXT_IFACE \
>      -p tcp -d $IP --dport 1024: --sport 1024: \
>      -j ACCEPT
> 
> Note that passive FTP is to a high dport - so at the least I think
> you'll
> have to forward those high ports to your internal server, which will be
> easiest if it has a unique external IP. Not sure why active would be
> failing
> for you though
> 
> On Fri, Dec 21, 2001 at 10:54:43AM -0800, Roger Haskins wrote:
> > 
> > Just when I think I've gotten port forwarding down then I run into a
> snag :)
> > 
> > I'm trying to forward ftp to a machine behind the firewall.
> > 
> > >From the DMZ and LAN side the forwarding works perfectly but from the
> outside it doesn't.
> > 
> > Here's what I have
> > 
> > $IPT -t nat -A PREROUTING -p TCP -d $WANIP --dport 20 -j DNAT
> --to-destination $FTPIP:20
> > $IPT -t nat -A PREROUTING -p TCP -d $WANIP --dport 21 -j DNAT
> --to-destination $FTPIP:21
> > $IPT -A FORWARD -p TCP -d $FTPIP --dport 20 -j ACCEPT
> > $IPT -A FORWARD -p TCP -s $WORLD --sport 20 -j ACCEPT
> > $IPT -A FORWARD -p TCP -d $FTPIP --dport 21 -j ACCEPT
> > $IPT -A FORWARD -p TCP -s $WORLD --sport 21 -j ACCEPT
> > 
> > And I have all these sames rules inplace for UDP as well.
> > 
> > When an FTP comes in from the outside, I can log in but when I do an
> ls it
> > goes into passive mode which on the DMZ/LAN side it doesn't.
> > 
> > What am I missing?  I have similiar rules for smtp and pop3 forwarding
> which work perfectly.
> > 
> > BTW, once I get the rules working then I'll add checks for the state
> it is in.
> > 
> > TIA
>