2

I want to forward access on my gateway (internal ip: 192.168.4.4) from external port 1965 to a FTP server inside my lan (192.168.4.2)

So in other term, someone accessing with FTP my gateway:1965 will be redirected to 192.168.4.2:21

I did this in the past with older linux kernels, and it worked.

It seems that since 4.9 kernels, things have changed, and i cannot manage to update my iptables script.

ip forwarding and nf conntracking are enabled:

net.ipv4.ip_forward = 1
net.netfilter.nf_conntrack_helper = 1

and needed modules are loaded:

nf_nat_ftp             16384  0
nf_conntrack_ftp       20480  3 nf_nat_ftp
nf_nat                 24576  5 xt_nat,nf_nat_redirect,nf_nat_ftp,nf_nat_masquerade_ipv4,nf_nat_ipv4
nf_conntrack           94208  9 nf_conntrack_ftp,nf_conntrack_ipv4,xt_helper,nf_nat_ftp,xt_CT,nf_nat_masquerade_ipv4,xt_conntrack,nf_nat_ipv4,nf_nat

iptable_raw            16384  1
iptable_nat            16384  1
nf_nat_ipv4            16384  1 iptable_nat
iptable_filter         16384  1
ip_tables              28672  3 iptable_filter,iptable_raw,iptable_nat

my iptables configuration (generated by iptables-save, with counters)

I've made changed mostly in raw which were not needed in 4.1 kernels for masquerading FTP.

I've understood that now you have to use CT helper.

For readability, i've cut all logging rules, and all which was not related to ftp (samba, ssh, …)

raw

PREROUTING [21:1052] -A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp [20:1128] -A PREROUTING -p tcp -m tcp --dport 1965 -j CT --helper ftp

nat

PREROUTING [20:1128] -A PREROUTING -i wan -p tcp -m tcp --dport 1965 -j DNAT --to-destination 192.168.4.2:21

POSTROUTING [0:0] -A POSTROUTING -s 192.168.0.0/16 -o wan -j MASQUERADE [22:1248] -A POSTROUTING -d 192.168.4.2/32 -j SNAT --to-source 192.168.4.4

filter

INPUT [564393:501714526] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT [0:0] -A INPUT -m helper --helper ftp -j ACCEPT [0:0] -A INPUT -p tcp -m tcp --dport 1965 -j ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

FORWARD [0:0] -A FORWARD -p tcp -m tcp --sport 20 --dport 1965 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT [20:1128] -A FORWARD -d 192.168.4.2/32 -i wan -p tcp -m tcp --dport 21 -j ACCEPT [0:0] -A FORWARD -p tcp -m tcp --dport 21 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT [0:0] -A FORWARD -p tcp -m tcp --sport 20 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

Thank you for reading.

Jérome Boham
  • 66
  • 3
  • So what happens after you update the iptables? – Martin Prikryl May 15 '17 at 06:16
  • After the update to 4.9 kerrnel, i cannot reach anymore ftp server inside my lan, from the outside. So i've just rollbacked to a pre-4.7 kernel, for having things working again. In parrallel, i'm going to build a dedicated host with 4.9 , which will only do the ftp access. It will be easier for isolating the troubles. – Jérome Boham May 15 '17 at 14:04
  • I can't believe you need so many rules for something so simple. At first glance, I think your NAT rules should do the job alone if your FORWARD policy is to ACCEPT. – Julie Pelletier May 19 '17 at 02:42

0 Answers0