[Firehol-support] FTP NAT ?

Whit Blauvelt whit at transpect.com
Mon Jun 26 21:43:08 BST 2017


Hi,

FTP always uses two ports. If you look it up you'll find plenty of
discussion. It's either ports 21 and 20, or 21 and an arbitrary high port,
depending on the passive or active mode. 

Here's instructions for entirely iptables code:
http://www.devops-blog.net/iptables/iptables-rules-for-nat-with-ftp-active-passive

Those are opening more high ports than you need. Rules can be tighter than
that. And you might want another firewall on the FTP server itself to make
sure that traffic other than on port 21 is RELATED.

I'm sure there's a simpler FireHOL way to handle this, but my habit is to
keep FTP servers directly on public IPs rather than DNAT to them, partly
because of these complications.

Whit

On Mon, Jun 26, 2017 at 10:24:06PM +0200, Nicolas Repentin wrote:
> Hi all,
> 
> I'm trying to create a simple NAT rule for FTP. I don't understand why,
> but when I use ftp port, it doesn't work :
> 
> my firehol server is 10.9.1.1. My ftp is 192.168.1.200 (reachable from
> firehol server). My client is 10.9.1.14.
> 
> If I do this :
> 
> dnat4 192.168.1.200:21 proto tcp dport 21 inface vpnhome src 10.9.1.14
> 
> router4 vpnhome2lan inface vpnhome outface eth0
>     route "ftp" accept src 10.9.1.14
> 
> 
> It doesn't work.
> 
> If I replace 21 or ftp by 2121, and change the FTP server port to 2121
> it works.
> 
> I don't have firewall on FTP server, and the 21 port is not used on
> firehol server.
> 
> Any idea?
> 
> Second problem, when using 2121, I can connect ftp server. But, fail
> when trying to list folders.I got an error because 192.168.1.200 is not
> reachable... Any idea?
> 
> Is it a "best way" to create dnat for ftp ?
> 
> 
> Thanks
> 
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support



More information about the Firehol-support mailing list