[CentOS] DNAT rule for vsftp --(PASSIVE FTP)

Indunil Jayasooriya indunil75 at gmail.com
Fri Oct 5 06:35:49 UTC 2007

On 10/5/07, John R Pierce <pierce at hogranch.com> wrote:
> Indunil Jayasooriya wrote:
> >
> > Hi all,
> >
> > I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as
> > passive ftp.
> >
> > the theroy behind passive ftp is ,
> >
> except, passive vs active is the choice the CLIENT not the server.  the
> only way to properly handle both modes is to parse the FTP commands on
> the control port (21) and setup/teardown port forwards on dynamic ports
> as needed.
> if you use the ip_nat_ftp module, this is all taken care of
> automatically and both transfer modes should work, you'll simply need to
> forward the control port.

Thanks,  That  means  below  2 rules will be enough.

ptables -t nat -A PREROUTING -p tcp -i eth0 -d --dport 21 -j DNAT

iptables -A FORWARD -p tcp -d --dport 21 -m state --state NEW

Am I right?

> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

Thank you
Indunil Jayasooriya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20071005/84c23508/attachment.html>

More information about the CentOS mailing list