iptables ftpd

pc1 has internet connection + lan, no ftpd
pc2 has lan, running vsftpd

how should i set iptables on pc1 to give internet users access to ftpd on pc2 ?

pc1: /sbin/iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to
pc3, via internet:
230 Login successful.
ftp> ls
227 Entering Passive Mode (192,168,0,15,174,58)
ftp: connect: No route to host
Who is Participating?
Gabriel OrozcoSolution ArchitectCommented:
I would do this instead:

modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to
iptables -A FORWARD -p tcp --dport 21 -d -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

and that's it. you should be able to communicate from outside to your internal ftp server.
Duncan RoeSoftware DeveloperCommented:
All you need do is route incoming calls on the ftp port to your server. That allows clients to use passive ftp, which is as much as many public ftp sites offer nowadays
Oh I see, you already tried to do that.
On that line you missed the input source. Assuming pc1 has the public internet on eth1, you should do

pc1: /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to

for eth1, substitute eth0 if that has the external connection, ppp0 if you use dialup, etc
Duncan RoeSoftware DeveloperCommented:
Just noticed - you don't need and probably don't want :21 on the end of that line:

pc1: /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to

This works for me (in a loop)

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport $i -j DNAT --to $downloader

i is the loop variable; downloader is set early on depending on its (dynamic) address
FTP is a pain in the ass protocol to configure. It has two modes of operation active mode and passive mode.

In your case active mode would be more simple to implement (actually it probably should work already) but it might not work on the client side.

Configuring passive mode is more chalenging because you must configure NAT for passive mode connections:

1. configure vsftpd to use limited range of ports. In vsftpd.conf put lines:

2. configure firewall to allow connections to this ports:
  iptables -I FORWARD -i <internet_interface> -p tcp -d --dport 45000:45500 -j ACCEPT

3. configure firewall to DNAT the appropriate ports to your ftp server:
  iptables -t nat -A PREROUTING -p tcp --dport 45000:45500 -j DNAT --to
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.