* FTP behind NAT on a non-standard port
@ 2021-01-31 16:09 mikhalich123
2021-01-31 17:21 ` Frank Myhr
0 siblings, 1 reply; 2+ messages in thread
From: mikhalich123 @ 2021-01-31 16:09 UTC (permalink / raw)
To: netfilter
Hello
Gateway to Debian 7.11 (3.2.0-4-686-pae), iptables v1.4.14.
external interface ip: 1.1.1.1
internal interface ip: 192.168.1.1
An ftp server works inside the local network, for which you need to organize access from the outside.
ip ftp server on the internal network: 192.168.1.55
Port of ftp server on internal network: 51
Lsmod output | grep ftp
nf_nat_ftp 12 420 0
nf_conntrack_ftp 12533 2 nf_nat_ftp
nf_nat 17913 2 iptable_nat, nf_nat_ftp
nf_conntrack 43121 9 nf_conntrack_ipv4, nf_nat, iptable_nat, xt_conntrack, xt_state, nf_conntrack_ftp, nf_nat_ftp, xt_CT, nf_conntrack_netlink
It doesn't work like this:
iptables -t raw -A PREROUTING --dst 1.1.1.1 -p tcp --dport 55555 -j CT --helper ftp
iptables -t nat -A PREROUTING -i ext --dst 1.1.1.1 -p tcp --dport 55555 -j DNAT --to-destination 192.168.1.55:51
The control connection opens, but there is no data flow. conntrack -E expect shows nothing.
If we change so that the ftp server port is standard (ftp server settings and iptables settings), then everything works:
iptables -t nat -A PREROUTING -i ext --dst 1.1.1.1 -p tcp --dport 55555 -j DNAT --to-destination 192.168.1.55:21
Please tell me what settings are needed to make available an ftp server running on a non-standard port?
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: FTP behind NAT on a non-standard port
2021-01-31 16:09 FTP behind NAT on a non-standard port mikhalich123
@ 2021-01-31 17:21 ` Frank Myhr
0 siblings, 0 replies; 2+ messages in thread
From: Frank Myhr @ 2021-01-31 17:21 UTC (permalink / raw)
To: mikhalich123, netfilter
On 2021/01/31 11:09, mikhalich123 wrote:
> Hello
>
> Gateway to Debian 7.11 (3.2.0-4-686-pae), iptables v1.4.14.
>
> external interface ip: 1.1.1.1
>
> internal interface ip: 192.168.1.1
>
> An ftp server works inside the local network, for which you need to organize access from the outside.
>
> ip ftp server on the internal network: 192.168.1.55
>
> Port of ftp server on internal network: 51
>
> Lsmod output | grep ftp
>
> nf_nat_ftp 12 420 0
> nf_conntrack_ftp 12533 2 nf_nat_ftp
> nf_nat 17913 2 iptable_nat, nf_nat_ftp
> nf_conntrack 43121 9 nf_conntrack_ipv4, nf_nat, iptable_nat, xt_conntrack, xt_state, nf_conntrack_ftp, nf_nat_ftp, xt_CT, nf_conntrack_netlink
>
> It doesn't work like this:
>
> iptables -t raw -A PREROUTING --dst 1.1.1.1 -p tcp --dport 55555 -j CT --helper ftp
> iptables -t nat -A PREROUTING -i ext --dst 1.1.1.1 -p tcp --dport 55555 -j DNAT --to-destination 192.168.1.55:51
>
> The control connection opens, but there is no data flow. conntrack -E expect shows nothing.
>
> If we change so that the ftp server port is standard (ftp server settings and iptables settings), then everything works:
>
> iptables -t nat -A PREROUTING -i ext --dst 1.1.1.1 -p tcp --dport 55555 -j DNAT --to-destination 192.168.1.55:21
>
> Please tell me what settings are needed to make available an ftp server running on a non-standard port?
Hi,
It's been awhile since I tried this, but I'll take a quick stab for what
it's worth:
I think the answer depends on whether you're running active or passive
mode FTP, as well as whether or not you're doing SNAT (or MASQUERADE)
between your networks.
The thread here may be of some help:
https://www.spinics.net/lists/netfilter/msg44797.html
In general it will probably be easier to get it to work if you can use
passive mode FTP.
Best wishes,
Frank
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-01-31 17:21 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-01-31 16:09 FTP behind NAT on a non-standard port mikhalich123
2021-01-31 17:21 ` Frank Myhr
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox