From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Scott Taylor" Subject: Re: Running an ftp Server Behind a Router/Firewall Date: Sun, 23 Mar 2003 08:09:57 -0800 (PST) Sender: linux-admin-owner@vger.kernel.org Message-ID: <1663.66.183.200.54.1048435797.squirrel@dctchambers.com> References: <3872.192.168.0.3.1048322013.squirrel@www.goldenrain.net> <2239.192.168.0.3.1048351958.squirrel@www.goldenrain.net> Mime-Version: 1.0 Return-path: In-Reply-To: <2239.192.168.0.3.1048351958.squirrel@www.goldenrain.net> List-Id: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: linux-admin@vger.kernel.org Artem Daniliants said: > HI. Let me explain a bit more =) I take it this doesn't work? > On router I am using masquerade script which forwards 21 port connections > to LAN computer with IP 192.168.0.3 > > Here how it's done using iptables on the router: > > PORTFWIP="192.168.0.3" > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 21 -m state > --state NEW,ESTABLISHED,RELATED -j ACCEPT Shouldn't this be "-p tcp"? > $IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 21 -j DNAT --to > $PORTFWIP:21 Again... tcp not udp. How about the reverse? ftp need to know where to go and how to get there: $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 21 \ -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.0.3 Make sure you have default route on 192.168 machine set to your gateway/firewall and it should just work. You can ping the outside world from your ftp server right? -- Scott