Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1323
  • Last Modified:

iptables ftpd

pc1 has internet connection + lan, no ftpd
pc2 has lan, running vsftpd

how should i set iptables on pc1 to give internet users access to ftpd on pc2 ?

pc1: /sbin/iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to
pc3, via internet:
230 Login successful.
ftp> ls
227 Entering Passive Mode (192,168,0,15,174,58)
ftp: connect: No route to host
  • 2
2 Solutions
Duncan RoeSoftware DeveloperCommented:
All you need do is route incoming calls on the ftp port to your server. That allows clients to use passive ftp, which is as much as many public ftp sites offer nowadays
Oh I see, you already tried to do that.
On that line you missed the input source. Assuming pc1 has the public internet on eth1, you should do

pc1: /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to

for eth1, substitute eth0 if that has the external connection, ppp0 if you use dialup, etc
Duncan RoeSoftware DeveloperCommented:
Just noticed - you don't need and probably don't want :21 on the end of that line:

pc1: /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to

This works for me (in a loop)

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport $i -j DNAT --to $downloader

i is the loop variable; downloader is set early on depending on its (dynamic) address
FTP is a pain in the ass protocol to configure. It has two modes of operation active mode and passive mode.

In your case active mode would be more simple to implement (actually it probably should work already) but it might not work on the client side.

Configuring passive mode is more chalenging because you must configure NAT for passive mode connections:

1. configure vsftpd to use limited range of ports. In vsftpd.conf put lines:

2. configure firewall to allow connections to this ports:
  iptables -I FORWARD -i <internet_interface> -p tcp -d --dport 45000:45500 -j ACCEPT

3. configure firewall to DNAT the appropriate ports to your ftp server:
  iptables -t nat -A PREROUTING -p tcp --dport 45000:45500 -j DNAT --to
Gabriel OrozcoSolution ArchitectCommented:
I would do this instead:

modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to
iptables -A FORWARD -p tcp --dport 21 -d -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

and that's it. you should be able to communicate from outside to your internal ftp server.

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now