iptables ftpd

Posted on 2007-10-10
Last Modified: 2013-12-16
pc1 has internet connection + lan, no ftpd
pc2 has lan, running vsftpd

how should i set iptables on pc1 to give internet users access to ftpd on pc2 ?

pc1: /sbin/iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to
pc3, via internet:
230 Login successful.
ftp> ls
227 Entering Passive Mode (192,168,0,15,174,58)
ftp: connect: No route to host
Question by:ed987
    LVL 34

    Expert Comment

    by:Duncan Roe
    All you need do is route incoming calls on the ftp port to your server. That allows clients to use passive ftp, which is as much as many public ftp sites offer nowadays
    Oh I see, you already tried to do that.
    On that line you missed the input source. Assuming pc1 has the public internet on eth1, you should do

    pc1: /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to

    for eth1, substitute eth0 if that has the external connection, ppp0 if you use dialup, etc
    LVL 34

    Expert Comment

    by:Duncan Roe
    Just noticed - you don't need and probably don't want :21 on the end of that line:

    pc1: /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to

    This works for me (in a loop)

    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport $i -j DNAT --to $downloader

    i is the loop variable; downloader is set early on depending on its (dynamic) address
    LVL 16

    Assisted Solution

    FTP is a pain in the ass protocol to configure. It has two modes of operation active mode and passive mode.

    In your case active mode would be more simple to implement (actually it probably should work already) but it might not work on the client side.

    Configuring passive mode is more chalenging because you must configure NAT for passive mode connections:

    1. configure vsftpd to use limited range of ports. In vsftpd.conf put lines:

    2. configure firewall to allow connections to this ports:
      iptables -I FORWARD -i <internet_interface> -p tcp -d --dport 45000:45500 -j ACCEPT

    3. configure firewall to DNAT the appropriate ports to your ftp server:
      iptables -t nat -A PREROUTING -p tcp --dport 45000:45500 -j DNAT --to
    LVL 19

    Accepted Solution

    I would do this instead:

    modprobe ip_nat_ftp
    modprobe ip_conntrack_ftp
    iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to
    iptables -A FORWARD -p tcp --dport 21 -d -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    and that's it. you should be able to communicate from outside to your internal ftp server.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
    Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
    Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now