[CentOS] DNAT rule for vsftp --(PASSIVE FTP)

Fri Oct 5 05:52:28 UTC 2007
Indunil Jayasooriya <indunil75 at gmail.com>

Hi all,

I want to run vsftp behind a firewall.(i.e DMZ zone) . It is runnig as
passive ftp.

the theroy behind passive ftp is ,

   - FTP server's port 21 from anywhere ( Client initiates connection)
   - FTP server's port 21 to ports > 1024 (Server responds to client's
   control port)
   - FTP server's ports > 1024 from anywhere (Client initiates data
   connection to random port specified by server)
   - FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs
   (and data) to client's data port)

Then, How can I write DNAT rules.

pls assume is the ip of the internert interface.

#DNAT from Internet to the box running VSFTP @
iptables -t nat -A PREROUTING -p tcp -i eth0 -d --dport 21 -j DNAT
iptables -t nat -A PREROUTING -p tcp -i eth0 -d --dport 1024: -j
DNAT --to-destination

And also
#connect to below ip (actual destination ip) with below ports,due to DNATing

iptables -A FORWARD -p tcp -d --dport 21 -m state --state NEW
iptables -A FORWARD -p tcp -d --dport 1024: -m state --state

R u okay with the above 4 rules ?

If WRONG, pls write down your rules. I am going to put this vsftp server in

Pls also make sure , my firewall has below rules such as DROP,

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

YOUR comments.

Thank you
Indunil Jayasooriya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20071005/2a45de33/attachment-0004.html>