iptables rules for NAT with FTP active / passive connections

If you have an FTP server running behind a server that acts as the gateway or firewall, here are the rules to enable full NAT for active and passive connections.

# general rules for forwarding traffic between external interface tap0 and internal interface eth0
iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE
iptables -A FORWARD -i tap0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tap0 -j ACCEPT

# NAT for active/passive FTP. 192.168.178.21 would be your internal ftp server
iptables -t nat -A PREROUTING  -p tcp  --dport 20 -j DNAT --to 192.168.178.21:20
iptables -t nat -A PREROUTING  -p tcp  --dport 21 -j DNAT --to 192.168.178.21:21
iptables -t nat -A PREROUTING  -p tcp  --dport 1024:65535 -j DNAT --to 192.168.178.21:1024-65535
iptables -A FORWARD -s 192.168.178.21 -p tcp --sport 20 -j ACCEPT
iptables -A FORWARD -s 192.168.178.21 -p tcp --sport 21 -j ACCEPT
iptables -A FORWARD -s 192.168.178.21 -p tcp --sport 1024:65535 -j ACCEPT

# allowing active/passive FTP
iptables -A OUTPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

You must also have IPv4 forwarding enabled, check by

# should return 1
cat /proc/sys/net/ipv4/ip_forward

# otherwise
sysctl -w net.ipv4.ip_forward=1

and edit /etc/sysctl.conf like so “net.ipv4.ip_forward = 1”

You also need to have ip_nat_ftp and ip_conntrack_ftp modules loaded. Check for them

lsmod | grep ip_nat_ftp
lsmod | grep ip_conntrack_ftp
# if no result then load them until next reboot, google for making it permanent depending on your OS
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
2013
08/04
POSTED BY
CATEGORY
iptables
tips and tricks
TAGS
9 comments
    • Ahmed
    • October 1st, 2013 12:55pm

    Hi Phil,

    I really do like this blog, I would like also to contribute to it, I hope it’s ok for you.. if not I wouldn’t take it personally 🙂

  2. Hi, in my ftpd (vsftpd) server, i get this error:

    220 (vsFTPd 2.3.2)
    Name (XXX.DOMAIN.COM:user): tucuman
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> dir
    421 Service not available, remote server has closed connection
    ftp>

    Howto i can solve it?

      • phil
      • March 13th, 2014 2:17pm

      does that also happen when you disable/flush iptables ?

  3. Hi, thank you this help me a lot.

    • gratch
    • January 31st, 2015 5:52am

    I tried several recommendations, but your post was the one that got my passive FTP to work. Thanks for sharing.

    • Rodrigo Calovi
    • June 2nd, 2018 6:15pm

    Muito Obrigado pela ajuda!
    Thank you this help me a lot!

  1. April 12th, 2016
    Trackback from : Netfilter Rules for NAT with FTP | ephemer1c