Port Forwarding

I've been researching over the net on how to do this with no results. Everytime I thought I'd figured it out. It didn't work. So now I've come to my last straw of asking my question here.

I'm currently running a Linux RH6.1 Kernel 2.2.12. I can ping my internal eth1 of and I can ping my external eth0 of w.x.y.z. I can also ping my FTP server of My Problem is I need to keep the FTP server on the internal side of the firewall, and I'm unable to access the FTP Server via port 21. I am aware that the FTP server also has port 20 so just in case I made that routable too. I even relaxed my Firewall rules just to make sure, and lowered it all to just the basic IP Masq'ing.

Is there anyone out there who can point me to a how-to, or something else that might work. I've tried the IP-CHAINS, IP-MASQ HOW-TO's with no luck. I've only noted that for a 2.0 Kernel I need a patch ,which the Howto mentions, on an FTP server for Fred Viles, but it never mentions where the FTP server is, and that's only for a 2.0 Kernel.  

Someone please help me in this bind. I greatly Appreciate all help. Thank you.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

When you say you are unable to access the FTP server, I assume that means you are unable to access it from the RH6 box, not the Internet in general.

Please post the output of the ifconfig and route -n commands.  

Assuming we don't have a routing problem (your ping experience tends to confirm routing as OK), I would make sure you are loading the ftp IP masquerade module.  Try adding this line to your /etc/rc.local file:

/usr/bin/find /lib/modules/*/ipv4/*masq* -exec /sbin/insmod \{} \;  

This attacks the problem of masquerade modules via the shotgun method; it must loads 'em all.   It might help to confirm that you have ip_masq_ftp.o in the ./ipv4 directory where your modules are located.
necrodancerAuthor Commented:
Actually I can ftp internally, but I cannot ftp externally. To explain the situation better; I want people to ftp to address w.x.y.z port 21 (which is my firewall) and be automagically forwarded to a machine on my internal network which is actually hosting the FTP server at ip port 21. I hope this explains better. Though if you need to reach me further I would appreciate it if you contact me via email at neo.phyte@home.com. Thank you in advanced.
I can't think of any good ways to make this work with ipchains.  For a moment, I thought you could set up a "reverse-masquerade" situation, but it's the ftp login that takes place on 20/21, the actual transfer is on a randomly-allocated port.  

From a security point of view, I'm not all that thrilled with the concept of masquerading an arbitrary IP address on an internal network;  It sounds like trouble.  

How about setting up the ftp server on the Linux box, and using Samba to mount the directories that your internal ftp server is trying to make available?  
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

if you dont have it get the package ipmasqadm and install it then type this line...It will need to be executed each time the pc reboots so you can put it in your rc.local file

/usr/sbin/ipmasqadm autofw -A -r tcp 20 21 -h
You may need to recompile your kernel.  The man page for ipmasqadm indicates you need the following modules compilled in:


I still say it's easier to just have the Linux box act as an FTP server of the same files, but the ipmasqadm concept is worth a try.
If you want to forward to an internal ftp server don't forget to load the ip_masq_ftp.o module after your ipmasqadm forward statement by adding the line: modprobe ip_masq_ftp.o

It is not necessary to forward port 20 also just 21 with the module loaded.  It will then forward IP traffic to your internal subnet behind the firewall.

Here is the ipmasgadm statement i use:
ipmasqadm portfw -a -P tcp -L $ETH0IP 21 -R 21

$ETH0IP is the external IP of my firewall. is the address of my internal FTP server.  After this statement is where you want to add the: modprobe ip_masq_ftp.o

Hope this helps.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.