iptables: DNAT configuration FTP service

Question

Hi have a FTP server behind a firewall and have problemi with DNAT configuration, internal server have ip 192.168.4.110:

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 20 -j DNAT --to-destination 192.168.4.110:20
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j DNAT --to-destination 192.168.4.110:21
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1024:1048 -j DNAT --to-destination 192.168.4.110:1024-1048

And i have nf_nat_ftp and nf_conntrack_ftp modules loaded but not work, from FTP client i have a timeout

Typically there should be firewall rule accepting `related` packets in a stateful firewall i.e. `-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT` — HBruijn, Jan 15 '15 at 10:12

score 0 · Answer 1 · answered Jan 18 '15 at 23:45

You quote the port range "1024-1048" in your existing config. Are you implying that you've restricted your FTP server to only use these ports for data connections ? If so, what you've done should work.

Check your machine is set to route packets by doing:

cat /proc/sys/net/ipv4/ip_forward

You should get a "1" back if forwarding is enabled, which will be required for what you're trying to achieve.

iptables: DNAT configuration FTP service

1 Answers1