Hi Dan, My first thought is *don't do that* :-) The FTP credentials are not encrypted, easily captured, etc. . Using FTP over a VPN (OpenVPN), or use SFTP (TCP 22) would be much better choices.
If you really, really must allow FTP inbound on the external interface when AstLinux is a NAT firewall you must use "NAT EXT->LAN" of TCP 21 to your internal FTP server. The Linux kernel will automatically apply the FTP helper to track the TCP 20 data channel, so only NAT-forward TCP 21 . Be sure to remove any "Pass EXT->LAN" TCP 21 rules. Note that "Pass EXT->LAN" is for non-NAT'ed situations when the networks are routed, not NAT'ed. For example with IPv6 you would use "Pass EXT->LAN". For NAT'ed situations with IPv4 use "NAT EXT->LAN". Note that with "NAT EXT->LAN" you could make the public TCP port non-standard and forward to the standard TCP 21 internally. I've never tried this, as the FTP helper has to cooperate, so this may or may not work, also depends on the FTP client. Let us know how it goes. Lonnie On Jul 27, 2017, at 7:44 PM, d...@ryson.org wrote: > All, > > I just helped a friend reconfigure an AstLinux installation. Until today, it > had been behind a NAT'd router/firewall. This afternoon, we added a NIC card > and promoted AstLinux to replace the router/firewall. > > All the complicated bits worked fine. However, testing revealed that a simple > port forwarding to an internal FTP server (port 21) isn't working. The FTP > server is working from within the LAN but we can't access it from the > Internet. We enabled EXT=>LAN using the web interface and we can see the > rule in iptables but it doesn't seem to work. > > I'd appreciate any troubleshooting suggestions. > > Thanks, > > Dan ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
