[Firehol-support] FTP NAT ?

Whit Blauvelt whit at transpect.com
Mon Jun 26 21:43:08 BST 2017


FTP always uses two ports. If you look it up you'll find plenty of
discussion. It's either ports 21 and 20, or 21 and an arbitrary high port,
depending on the passive or active mode. 

Here's instructions for entirely iptables code:

Those are opening more high ports than you need. Rules can be tighter than
that. And you might want another firewall on the FTP server itself to make
sure that traffic other than on port 21 is RELATED.

I'm sure there's a simpler FireHOL way to handle this, but my habit is to
keep FTP servers directly on public IPs rather than DNAT to them, partly
because of these complications.


On Mon, Jun 26, 2017 at 10:24:06PM +0200, Nicolas Repentin wrote:
> Hi all,
> I'm trying to create a simple NAT rule for FTP. I don't understand why,
> but when I use ftp port, it doesn't work :
> my firehol server is My ftp is (reachable from
> firehol server). My client is
> If I do this :
> dnat4 proto tcp dport 21 inface vpnhome src
> router4 vpnhome2lan inface vpnhome outface eth0
>     route "ftp" accept src
> It doesn't work.
> If I replace 21 or ftp by 2121, and change the FTP server port to 2121
> it works.
> I don't have firewall on FTP server, and the 21 port is not used on
> firehol server.
> Any idea?
> Second problem, when using 2121, I can connect ftp server. But, fail
> when trying to list folders.I got an error because is not
> reachable... Any idea?
> Is it a "best way" to create dnat for ftp ?
> Thanks
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support

More information about the Firehol-support mailing list