iptables rules for NAT with FTP

Question

I'm trying to create a NAT function in order to achieve 2 tasks at a time.

Users from public network are able to access the FTP server

Users in the LAN are able to use same WAN address 203.X.X.X to access the FTP server

network topology
                               [---] win10 PC
   \       /                   [ - ] 10.0.0.4
[wireless router]------------- [ _ ]
WAN:203.x.x.x                   _______ 
LAN gateway:10.0.0.138         /      / laptop **linux FTP server** 
                              /______/  iptables **NAT running here**
                              \       \ wlan0:10.0.0.113
                               \_______\    port:20,21
                                             passive:6000:7000

Now the FTP server is only accessible trough LAN ftp://10.0.0.113 I want to forward a port to local FTP server, in this case any user would be able to use WAN address 203.x.x.x to log in FTP server. I use Windows 10 to do the test which is in the same LAN.

*nat
:PREROUTING ACCEPT [280:86644]
:INPUT ACCEPT [79:4030]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -j LOG
-A PREROUTING -d 203.213.238.12/32 -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.0.0.113:21
-A PREROUTING -d 203.213.238.12/32 -p tcp -m tcp --dport 20 -j DNAT --to-destination 10.0.0.113
-A PREROUTING -d 203.213.238.12/32 -p tcp -m tcp --dport 6000:7000 -j DNAT --to-destination 10.0.0.113
-A OUTPUT -j LOG
-A OUTPUT -d 203.213.238.12/32 -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.0.0.113:21
-A OUTPUT -d 203.213.238.12/32 -p tcp -m tcp --dport 20 -j DNAT --to-destination 10.0.0.113
-A OUTPUT -d 203.213.238.12/32 -p tcp -m tcp --dport 6000:7000 -j DNAT --to-destination 10.0.0.113
-A POSTROUTING -j LOG
-A POSTROUTING -d 10.0.0.113/32 -o wlan0 -p tcp -m tcp --dport 21 -j SNAT --to-source 10.0.0.138:21
-A POSTROUTING -d 10.0.0.113/32 -o wlan0 -p tcp -m tcp --dport 20 -j SNAT --to-source 10.0.0.138
-A POSTROUTING -d 10.0.0.113/32 -o wlan0 -p tcp -m tcp --dport 6000:7000 -j SNAT --to-source 10.0.0.138
COMMIT
# Completed on Thu Mar  2 19:40:51 2017
# Generated by iptables-save v1.4.21 on Thu Mar  2 19:40:51 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [412:52590]
-A INPUT -i wlan0 -j ACCEPT
-A FORWARD -o wlan0 -j ACCEPT
-A FORWARD -i wlan0 -j ACCEPT
COMMIT

I'm not sure what I missed or there are some logical mistakes in the configuration. any help would be appropriated.

That looks like a [hairpin NAT](http://serverfault.com/q/55611/37681) problem — HBruijn, Mar 02 '17 at 11:02
NAT and port forwarding need to happen at the router, not the client. — Jeter-work, Mar 02 '17 at 18:41
When formatting a post for any stack exchange site, you should reserve 'quotes' (lines beginning with >) for, well, quotes. And capitalize acronymns — Jeter-work, Mar 02 '17 at 18:48

score 0 · Answer 1 · answered Mar 02 '17 at 18:53

Port forwarding is set up on the router and lets you send all traffic that comes into that interface on a given port to a specific address (and port). Typically this is done on home routers to forward traffic from the public side of the router to the private one.

Redirecting internal traffic, you may need to set up a forwarding statement on the internal interface of the router, or consider using the destination server's internal network address, or using the FQDN of the server on the internal network and allowing an internal DNS server to do the translation.

The iptables example you've given might work if it was the router's configuration.

iptables rules for NAT with FTP

1 Answers1