PDA

View Full Version : [all variants] FTP doesn't work with Ubuntu configured as router



ba_rich
June 28th, 2008, 08:58 PM
I've configured Ubuntu Linux 8.04 as a router as described in here (http://ubuntuforums.org/showthread.php?t=376283&)

It uses the following iptables setup:

iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth1 -j MASQUERADE
iptables -A FORWARD -s 10.1.1.0/24 -o eth1 -j ACCEPT
iptables -A FORWARD -d 10.1.1.0/24 -m state --state ESTABLISHED,RELATED -i eth1 -j ACCEPT

HTTP and POP connections are working like a charm.

When a FTP client on the local LAN attempts to connect to a FTP server on the Internet, it fails.

Then initial connection to port 21 succeeds. The opening of the data connection (150) fails.

What needs to be added to the iptables setup to allow the return data connection to be routed to the originator on the internal LAN and succeed?

ba_rich
June 28th, 2008, 10:11 PM
The ip_conntrack_ftp and ip_nat_ftp kernel modules are needed for FTP to work. These are not automatically loaded with the default ubuntu.

To have them loaded at boot, add the module names to /etc/modules. Reboot and FTP works !

kevdog
June 29th, 2008, 12:11 AM
Or simply load them from your iptables script since this is run as root.

ba_rich
June 29th, 2008, 12:58 AM
Where is the iptables script?

kevdog
June 29th, 2008, 01:22 AM
Didn't you make one or did you type in the iptables commands manually?

ba_rich
June 29th, 2008, 01:38 AM
The iptables commands were entered on the command line, then saved (iptables-save). The saved tables are loaded from the /etc/network/interfaces (pre-up iptables-restore < ...).

Are you saying a script could also be used (pre-up script)?

kevdog
June 29th, 2008, 02:53 AM
Yes it could -- you could call the script if you wanted. If you just wanted the iptables to be active all the time -- you could also stick reference to it in /etc/rc.local and it would load at boot. Just depends what you want to do -- there is no right answer.

I usually find however that it is easy to place all the commands in a shell script, since its really easy to change and make modifications months later (if the file is well commented). Ive looked at the results of iptables-save and its really hard to interpret what the original intent of the firewall was -- its not so obvious to me at least.