• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 262
  • Last Modified:

Port Forwarding

I've been researching over the net on how to do this with no results. Everytime I thought I'd figured it out. It didn't work. So now I've come to my last straw of asking my question here.

I'm currently running a Linux RH6.1 Kernel 2.2.12. I can ping my internal eth1 of and I can ping my external eth0 of w.x.y.z. I can also ping my FTP server of My Problem is I need to keep the FTP server on the internal side of the firewall, and I'm unable to access the FTP Server via port 21. I am aware that the FTP server also has port 20 so just in case I made that routable too. I even relaxed my Firewall rules just to make sure, and lowered it all to just the basic IP Masq'ing.

Is there anyone out there who can point me to a how-to, or something else that might work. I've tried the IP-CHAINS, IP-MASQ HOW-TO's with no luck. I've only noted that for a 2.0 Kernel I need a patch ,which the Howto mentions, on an FTP server for Fred Viles, but it never mentions where the FTP server is, and that's only for a 2.0 Kernel.  

Someone please help me in this bind. I greatly Appreciate all help. Thank you.
1 Solution
When you say you are unable to access the FTP server, I assume that means you are unable to access it from the RH6 box, not the Internet in general.

Please post the output of the ifconfig and route -n commands.  

Assuming we don't have a routing problem (your ping experience tends to confirm routing as OK), I would make sure you are loading the ftp IP masquerade module.  Try adding this line to your /etc/rc.local file:

/usr/bin/find /lib/modules/*/ipv4/*masq* -exec /sbin/insmod \{} \;  

This attacks the problem of masquerade modules via the shotgun method; it must loads 'em all.   It might help to confirm that you have ip_masq_ftp.o in the ./ipv4 directory where your modules are located.
necrodancerAuthor Commented:
Actually I can ftp internally, but I cannot ftp externally. To explain the situation better; I want people to ftp to address w.x.y.z port 21 (which is my firewall) and be automagically forwarded to a machine on my internal network which is actually hosting the FTP server at ip port 21. I hope this explains better. Though if you need to reach me further I would appreciate it if you contact me via email at neo.phyte@home.com. Thank you in advanced.
I can't think of any good ways to make this work with ipchains.  For a moment, I thought you could set up a "reverse-masquerade" situation, but it's the ftp login that takes place on 20/21, the actual transfer is on a randomly-allocated port.  

From a security point of view, I'm not all that thrilled with the concept of masquerading an arbitrary IP address on an internal network;  It sounds like trouble.  

How about setting up the ftp server on the Linux box, and using Samba to mount the directories that your internal ftp server is trying to make available?  
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

if you dont have it get the package ipmasqadm and install it then type this line...It will need to be executed each time the pc reboots so you can put it in your rc.local file

/usr/sbin/ipmasqadm autofw -A -r tcp 20 21 -h
You may need to recompile your kernel.  The man page for ipmasqadm indicates you need the following modules compilled in:


I still say it's easier to just have the Linux box act as an FTP server of the same files, but the ipmasqadm concept is worth a try.
If you want to forward to an internal ftp server don't forget to load the ip_masq_ftp.o module after your ipmasqadm forward statement by adding the line: modprobe ip_masq_ftp.o

It is not necessary to forward port 20 also just 21 with the module loaded.  It will then forward IP traffic to your internal subnet behind the firewall.

Here is the ipmasgadm statement i use:
ipmasqadm portfw -a -P tcp -L $ETH0IP 21 -R 21

$ETH0IP is the external IP of my firewall. is the address of my internal FTP server.  After this statement is where you want to add the: modprobe ip_masq_ftp.o

Hope this helps.


Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now