How to SNAT FTP

Jason Opperisano opie at 817west.com
Tue Apr 12 01:10:09 CEST 2005


On Mon, Apr 11, 2005 at 08:26:39AM +0200, Daniel Fourie (DJN) wrote:
<--snip impressive ascii art-->
> I have got the following nat rules in my iptables firewall
> 
> $IPTABLES -t nat -A POSTROUTING -s $NET_DMZ -o eth0 \
> 
> -j SNAT --to-source 192.168.1.1
> 
> Everything seems to work fine, but ftp on the other hand is not
> working in active mode. The ftp helper is loaded (ip_conntrack_ftp,
> ip_nat_ftp).
> 
> If I do a network scan I can see the connection coming to my machine,
> but the data connection witch is negotiated in the payload is not
> natted to the correct ip (192.168.1.1). This is suggesting to me that
> the ftp helper is not working. I am running a updated version of
> RedHat 9 current kernel is kernel-2.4.20-31.9.
> 
> It will be appreciated if someone can help.

(1) are you running the FTP server on port 21 (the conntrack and nat
    helpers only track port 21 by default)

(2) do your firewall rules allow "--state RELATED" packets back through
    the FORWARD chain (from server -> client)?

(3) oh yeah--are you running an SSL-encrypted FTP server?

-j

--
"Protesters: Free Tibet! Free Tibet!
 Peter: I'll take it!
 Peter: Hello, China? I have something you may want. But it's gonna cost
 ya. That's right. All the tea."
        --Family Guy



More information about the netfilter mailing list