On 21-Jun-01 Wade Chandler wrote:
Hello,
I'm trying to set up some port forwarding for ftp. I would like to be able to forward port 2021 and 2020 as an ftp service to an internal machine on our network. I don't have any documentation on this. I know how ftp services work with a control connection and a data connection. I have the control connection working fine, but the data connection of course is not working. I am forwarding 2021 to port 21 on the internal machine, but I don't know how to get the server(internal) to use port 2020 for data even if I was forwarding from 2020 -> 2020. I know that I can't just forward an ftp data connection off of a non standard port to 20 and expect that to work right because of the ftp commands to change ports. This seems like one hell of a problem, and any help would be greatly appreciated. Thank you. Please let me know if I need to clarify the issue.
The basic problem here is reverse masq'ing. Kernels <= 2.2.17 w/o the ip_masq.patch have problems with passive ftp because the ip_masq helper modules (ip_masq_ftp) fail in masq'ing already masq'ed connections from internal hosts (with internal IPs). From the ipmasqadm(8) man page: "Protocols that use control and data connections are always a headache when crossing firewalls. Examples of these are ftp, irc, real audio, etc. [...] For example: ftp from outside to an internal forwarded server wil *not work in PASV mode* because server will send its internal address to outside client [...]" AFAIK the patch I mentioned is now part of the official kernel source tree. What kernel version do you use?
Wade Chandler Lead Developer Metro IT Solutions Triad Division: Winston Salem, NC http://www.metrotriad.com http://www.metrois.com wade.chandler@metrois.com FAVORITE SITES: http://www.javasoft.com <-- Suns main java web site. http://www.ddj.com <-- Dr. Dobbs Journal.
---
Boris Lorenz