Answer the question
In order to leave comments, you need to log in
M
M
mazzay2013-11-28 17:11:31
mazzay, 2013-11-28 17:11:31
Why is there no Internet access to the ftp server behind the router?
Hello, help me set up access to the Ftp server from outside.
vlan1 - external xxxx
eth0 - local network 192.168.0.1
ftp proftpd - 192.168.0.254 ; PassivePorts 50000-50100
on the router entered the following iptables rules
iptables -I INPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t nat -I PREROUTING -d x.x.x.x -p tcp --dport 20:21 -j DNAT --to 192.168.0.254:20-21
iptables -I FORWARD -i vlan1 -p tcp -d 192.168.0.254 --dport 20:21 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp -d x.x.x.x --dport 50000:50100 -j DNAT --to 192.168.0.254:50000-50100
iptables -I FORWARD -i vlan1 -p tcp -d 192.168.0.254 --dport 50000:50100 -j ACCEPTbut access to ftp://xxxx is only available from the local network.
[email protected]:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT udp -- anywhere host.miran.ru udp dpt:39471 to:192.168.0.136:39471
DNAT tcp -- anywhere host.miran.ru tcp dpt:39471 to:192.168.0.136:39471
DNAT tcp -- anywhere host.miran.ru tcp dpts:50000:50100 to:192.168.0.254:50000-50100
DNAT tcp -- anywhere host.miran.ru tcp dpts:ftp-data:ftp to:192.168.0.254:20-21
DNAT tcp -- anywhere host.miran.ru tcp dpt:ssh to:192.168.0.1:22
DNAT icmp -- anywhere host.miran.ru to:192.168.0.1
DNAT tcp -- anywhere host.miran.ru tcp dpt:55876 to:192.168.0.119:55876
DNAT udp -- anywhere host.miran.ru udp dpt:55876 to:192.168.0.119:55876
DNAT udp -- anywhere host.miran.ru udp dpt:59423 to:192.168.0.107:59423
DNAT tcp -- anywhere host.miran.ru tcp dpt:59423 to:192.168.0.107:59423
DNAT udp -- anywhere host.miran.ru udp dpt:62867 to:192.168.0.119:62867
DNAT tcp -- anywhere host.miran.ru tcp dpt:62867 to:192.168.0.119:62867
DNAT udp -- anywhere host.miran.ru udp dpt:6666 to:192.168.0.136:6666
DNAT tcp -- anywhere host.miran.ru tcp dpt:6666 to:192.168.0.136:6666
DNAT tcp -- anywhere host.miran.ru tcp dpt:39471 to:192.168.0.136:39471
DNAT udp -- anywhere host.miran.ru udp dpt:39471 to:192.168.0.136:39471
DNAT tcp -- anywhere host.miran.ru tcp dpt:25037 to:192.168.0.126:25037
DNAT udp -- anywhere host.miran.ru udp dpt:25037 to:192.168.0.126:25037
DNAT tcp -- anywhere host.miran.ru tcp dpts:50000:50100 to:192.168.0.254
DNAT udp -- anywhere host.miran.ru udp dpts:50000:50100 to:192.168.0.254
TRIGGER 0 -- anywhere host.miran.ru TRIGGER type:dnat match:0 relate:0
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT 0 -- 192.168.0.0/24 anywhere to:x.x.x.x
MASQUERADE 0 -- anywhere anywhere MARK match 0x1
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[email protected]:~#[email protected]:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpts:ftp-data:ftp
DROP tcp -- anywhere anywhere tcp dpt:webcache
DROP tcp -- anywhere anywhere tcp dpt:www
DROP tcp -- anywhere anywhere tcp dpt:https
DROP tcp -- anywhere anywhere tcp dpt:69
DROP tcp -- anywhere anywhere tcp dpt:telnet
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere 192.168.0.126 udp dpt:25037
ACCEPT tcp -- anywhere 192.168.0.126 tcp dpt:25037
ACCEPT udp -- anywhere 192.168.0.136 udp dpt:39471
ACCEPT tcp -- anywhere 192.168.0.136 tcp dpt:39471
ACCEPT tcp -- anywhere 192.168.0.254 tcp dpts:50000:50100
ACCEPT tcp -- anywhere 192.168.0.254 tcp dpts:ftp-data:ftp
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
lan2wan 0 -- anywhere anywhere
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT 0 -- anywhere anywhere
ACCEPT tcp -- anywhere 192.168.0.119 tcp dpt:55876
ACCEPT udp -- anywhere 192.168.0.119 udp dpt:55876
ACCEPT udp -- anywhere note3 udp dpt:59423
ACCEPT tcp -- anywhere note3 tcp dpt:59423
ACCEPT udp -- anywhere 192.168.0.119 udp dpt:62867
ACCEPT tcp -- anywhere 192.168.0.119 tcp dpt:62867
ACCEPT udp -- anywhere 192.168.0.136 udp dpt:6666
ACCEPT tcp -- anywhere 192.168.0.136 tcp dpt:6666
ACCEPT tcp -- anywhere 192.168.0.254 tcp dpts:50000:50100
ACCEPT udp -- anywhere 192.168.0.254 udp dpts:50000:50100
TRIGGER 0 -- anywhere anywhere TRIGGER type:in match:0 relate:0
trigger_out 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state NEWhttp forwarded successfully both with iptables rules and through the web interface of the router, but ftp fails. What am I doing wrong?
2 answer(s)
@papahoolio
@sainttechnik
P
papahoolio, 2013-11-28 @papahoolio
MasqueradeAddress xxxx
for proftpd
and
modprobe ip_conntrack_ftp ports=21,221
modprobe ip_nat_ftp ports=21,221
for a machine where ftpd
is running
A
Alexander Kovpashko, 2013-11-30 @sainttechnik
If I'm not mistaken, then it's not "DNAT --to", but "DNAT --to-destination". I'm not sure that DNAT will work correctly from ports 20:21 to ports 20:21. It seems like this means that the destination port of a packet arriving at port 21 will be changed to either 20 or 21. Perhaps instead of one rule for two ports, write a separate rule for each.
PS: the first rule for INPUT can be removed. First, the PREROUTING chain of the nat table is processed, the destination address is substituted for the incoming packet, then the packet enters the filter table, where it is processed as a transit, that is, in the FORWARD chain.
Similar questions
B
I
H
M
L
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question