My setup is:
FTP client -> proxy server (eth0: external, eth1: internal) -> FTP server (eth1:internal)
I'm trying to forward all FTP traffic from the proxy server on eth0 to the FTP server on eth1.
After about 2 hours of google and serverfault, iptables-save currently outputs:
# Generated by iptables-save v1.4.4 on Wed Sep 1 11:00:51 2010
*mangle
:PREROUTING ACCEPT [16444:5734756]
:INPUT ACCEPT [16271:5724316]
:FORWARD ACCEPT [169:10240]
:OUTPUT ACCEPT [10273:6431264]
:POSTROUTING ACCEPT [10475:6447560]
COMMIT
# Completed on Wed Sep 1 11:00:51 2010
# Generated by iptables-save v1.4.4 on Wed Sep 1 11:00:51 2010
*filter
:INPUT ACCEPT [1310:105993]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [713:80204]
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 21 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Sep 1 11:00:51 2010
# Generated by iptables-save v1.4.4 on Wed Sep 1 11:00:51 2010
*nat
:PREROUTING ACCEPT [271:15644]
:POSTROUTING ACCEPT [1410:86453]
:OUTPUT ACCEPT [1391:85237]
-A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 21 -m state --state NEW,RELATED,ESTABLISHED -j DNAT --to-destination xxx.xxx.xxx.xxx:21
COMMIT
# Completed on Wed Sep 1 11:00:51 2010
The first ip in prerouting is the external ip of the proxy server, the 2nd ip is the internal ip of the ftp server.
Trying to connect directly to the FTP server works fine, trying to connect to the proxy server though, doesn't do anything (just times out).
Any pointers on what I'm doing wrong?
Thanks!
Firstly I would drop the forwarding rule. It just adds confusion. Your default policy for the forward chain is accept anyway, so it doesn't matter. Secondly, check that the forwarding flag is set, with:
If this flag isn't set you can do with your firewalls what you want and it won't work. Set it to 1 with:
Then check with tcpdump where your packets are actually going (on the proxy server).