Network/Iptables/FTP port forwarding

From Debuntu

Jump to: navigation, search

FTP connection tracking

To handle connection tracking, iptables uses module nf_conntrack_ftp. By inspecting the IP packet originating from port 21, iptables will rewrite the IP used during passive connection.

In case we want to port forward FTP on 30001 to be sent to another machine (192.168.1.2) on 30001 with this rule: 

 iptables -t nat -A PREROUTING -p tcp -m tcp --dport 30001 -j DNAT --to-destination 192.168.1.2:30001

On passive FTP this will not work, because the control channel will send the IP 192.168.1.2 to the client and will break with "no route to host".

We need a way to change this control packet in the firewall to send the correct IP address that needs to access.

This is done by connection tracking FTP on port 30001 instead: 

modprobe nf_conntrack_ftp ports=30001
modprobe nf_nat_ftp


In order to keep this rule persistent we can set it up in the /etc/network/interfaces before loading the firewall 

up  modprobe nf_conntrack_ftp ports=30001
up  modprobe nf_nat_ftp
Retrieved from "http://wiki.debuntu.org/wiki/Network/Iptables/FTP_port_forwarding"
Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox
Google AdSense