Friday, August 07, 2009

FTP port forwarding using Iptables

[a] is WAN interface with (just an example) IP assigned to it, [b] is NIC with and [c] is server’s interface with IP All what we need is that users from Internet can access FTP server using IP and default 21 TCP port.

One of the main problems is that passive mode of FTP service uses any port from range 1024 to 65535 so it’s not enough to forward 21/20 ports to FTP server and let the ball rolling. So, go to servers’ CLI and open configuration file of an FTP service. It would be vsftpd, proftpd whatever. Let’s say we have vsftpd so we have to add the following lines to /etc/vsftpd.conf:



When changes are saved restart vsftpd server.

Now access router’s CLI and type the following:

iptables -t nat -I PREROUTING -d -p tcp -m tcp --dport 21 -j DNAT --to-destination

iptables -t nat -I PREROUTING -d -p tcp -m tcp --dport 12000:13000 -j DNAT --to-destination

This will add netfilter port forwarding rules which will redirect traffic coming at routers’ public IP through 21 TCP port to FTP server and will properly handle passive FTP mode.

No comments: