Problem with Iptables

[longvnit]

Hi everybody
I am building 1 system includes 1 firewall server using iptables 1 Webserver && 1 FTP server

On FTP server IP: 192.168.1.2 - GW: 192.168.1.1, i installed ProFTPD successfully. In LAN i do everything successfull.

On Firewall server <IP PUBLIC> on eth0 && IP LAN eth1: 192.168.1.1

Iptables rules:

Code:

# Generated by iptables-save v1.3.5 on Sun Mar  7 21:01:16 2010
*nat
:PREROUTING ACCEPT [950:126970]
:POSTROUTING ACCEPT [89:5880]
:OUTPUT ACCEPT [19:1342]
-A PREROUTING -d <IP PUBLIC> -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.1.2:21
-A POSTROUTING -s 192.168.1.2 -o eth0 -j SNAT --to-source <IP PUBLIC>
COMMIT
# Completed on Sun Mar  7 21:01:16 2010
# Generated by iptables-save v1.3.5 on Sun Mar  7 21:01:16 2010
*filter
:INPUT DROP [1599:157409]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [232:34452]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A FORWARD -i eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
COMMIT
# Completed on Sun Mar  7 21:01:16 2010

In FTP server i access to internet good.
I check port 21 on IP PUBLIC , it's return Open.

But when i using ftp command then it's show

Code:

Connected to <IP PUBLIC>.
220 ProFTPD 1.3.3 Server (FTP Server) [192.168.1.2]
User (<IP PUBLIC>:(none)): longvnit
331 Password required for longvnit
Password:
230 User longvnit logged in
ftp> dir
200 PORT command successful
Aborting any active data connections...
ftp> bye

C:\Documents and Settings\LONGVNIT>ftp <IP PUBLIC>
Connected to <IP PUBLIC>.
220 ProFTPD 1.3.3 Server (FTP Server) [192.168.1.2]
User (<IP PUBLIC>:(none)): longvnit
331 Password required for longvnit
Password:
230 User longvnit logged in
ftp> dir
200 PORT command successful
425 Unable to build data connection: Connection timed out
ftp> dir
200 PORT command successful
425 Unable to build data connection: Connection timed out
ftp>

Please Help me. Thanks!

[HROAdmin26]

Google: proftpd behind nat firewall

Read the part about configuring ProFTPD and passive ports.

[longvnit]

Thanks to HROAdmin26.
I tried and it's show 127.0.0.1:21 masquerading as <IP PUBLIC> but it's not solve that problem. I think i have problems with rules of iptables because when i install add server VPN on windows server 2003 and NAT port 1723 to VPN server then client connect to server have result is Error: 721

[mzv]

I don't use iptables, but I think it's same idea. You need to create a redirection rule for your ports to ftp or vpn server.

[syd05]

Hi,

Try adding one more rule to the PREROUTING chain

Code:

iptables -t nat -A PREROUTING -d <IP PUBLIC> -i eth0 -p tcp -m tcp --dport 20 -j DNAT --to-destination 192.168.1.2:20

and check if FTP works.

--Syd

[Lazydog]

You just need to load the tracking module for FTP "ip_conntrack_ftp" No need to open any ports on the firewall as this module handles this.