Redirect active FTP traffic to another server using iptables

Question

Network Scheme - IP addresses are fictitious

Firewall SO: Centos 6

I recently enabled two-factor authentication, using Google Authenticator, and with that transfers via SCP for some users were impossible to carry out. So the solution I found was to transfer files via FTP (active), using VSFTP (Ubuntu 22.04 LTS). I am using active FTP due to strict network restrictions at my university (passive FTP is not allowed). I was able to successfully redirect the SSH access to the server. However, I am having difficulties with FTP. I've already tried several rules, and read a lot of documentation and tips on forums.

Firewall. Open ports:

• 22/TCP, 2222/TCP, 65020/TCP, 65021/TCP.

Internal server. Open ports:

• 20/TCP, 21/TCP, 22/TCP.

Requests received on port 22/TCP to access the firewall via SSH.

Requests received on port 2222/TCP on the firewall are redirected to port 22/TCP (SSH) on the internal server.

Requests received on port 65020/TCP on the firewall are redirected to port 20/TCP (FTP-DATA) on the internal server.

Requests received on port 65021/TCP on the firewall are redirected to port 21/TCP (FTP) on the internal server.

The following are the firewall IPTABLES rules:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 65020 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 65021 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 65020 -j DNAT --to-destination 192.168.0.2:20
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 65021 -j DNAT --to-destination 192.168.0.2:21
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.0.2:22
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Port 2222/TCP redirect works perfectly. I can access the internal server via SSH. Access via FTP is not working. I get the following message from Filezilla:

Status: Connecting to 172.17.1.212:65021... Status: Connection established, waiting for welcome message... Status: Insecure server, it does not support FTP over TLS. Status: Server does not support non-ASCII characters. Status: Logged in Status: Retrieving directory listing... Command: PWD Response: 257 "/" is the current directory Command: TYPE I Response: 200 Switching to Binary mode. Command: PORT 172,17,1,253,233,145 Response: 500 Illegal PORT command. Command: PASV Response: 227 Entering Passive Mode (192,168,0,2,56,33). Command: LIST Error: Connection timed out after 20 seconds of inactivity Error: Failed to retrieve directory listing

I've tried other rules, but I won't put them here because I don't want to clutter up the post with unnecessary information.

The "nf_conntrack_ftp" module is loaded.

# lsmod | grep ftp
nf_conntrack_ftp       12081  0 
nf_conntrack           79761  7 nf_conntrack_ftp,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state

The IPV4 forwarding is loaded too:

# sysctl -p | grep "net.ipv4.ip_forward"
net.ipv4.ip_forward = 1

FTP access via the internal network works fine (I use Filezilla's active mode option).

Can anyone help me understand what I'm doing wrong?

My best regards.

Answer 1

Your problem is related to active FTP mode, it use separate connection for control and data which can cause issue with your iptables rules.

first set a range of ports in vsftpd.conf

pasv_min_port=50000
pasv_max_port=50100

then restart

sudo service vsftpd restart

then open the proper port range iptables -A INPUT -p tcp -m tcp --dport 50000:50100 -j ACCEPT

then we redirect the ports for FTP data connections from your firewall to your internal server

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 50000:50100 -j DNAT --to-destination 192.168.0.2

then finaly configure Filezilla to use passive mode instead of active mode, then it should work.