# Gentoo server with proftpd installed.NAT blocking FTP <- WAN

## xhakerek

Hi!

I can't make it work. I can connect FTP server only from computers connected to my home network. SSH and WWW works fine. I added a rule the same way and it doesn't work. Neither in ACTIVE nor PASSIVE mode.

nf_conntrack_ftp built into the kernel

When i start proftpd with -nd5 option I don't see anything when trying to connect to it from WAN.

Soon I'll start to pull my hair out lol. Please help me. I'll paste whatever you need.

For active I've tried openning ports 20 and 21

for passive the same thing plus passive ports declaration in proftpd.conf and opening them.

iptables rules pasted from gentoo home router howto.

When I stop iptables service the server works fine in both modes. It must be something wrong with NAT or nf_conntrack_ftp, right? I remember just forwarding ports worked when I did it last time. It's an ARM NAS box if it matters.

Thanks in advance!

----------

## khayyam

xhakerek ... wild guess ... you have both NF_CONNTRACK_FTP and NF_NAT_FTP enabled?

Also, have you defined the ports for the modules?

/etc/modprobe.d/nf_conntrack.conf

```
options ip_conntrack_ftp ports=20,21

options ip_nat_ftp ports=20,21
```

Also, you will need to define PassivePorts in proftpd.conf (at least you did when last I used proftpd).

Otherwise, you should post the iptables ruleset in use ...

best ... khay

----------

## xhakerek

My iptables -L

```

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere            

ACCEPT     all  --  anywhere             anywhere            

REJECT     udp  --  anywhere             anywhere             udp dpt:bootps reject-with icmp-port-unreachable

REJECT     udp  --  anywhere             anywhere             udp dpt:domain reject-with icmp-port-unreachable

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh

DROP       tcp  --  anywhere             anywhere             tcp dpts:0:1023

DROP       udp  --  anywhere             anywhere             udp dpts:0:1023

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp-data

ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:60000:65535

Chain FORWARD (policy DROP)

target     prot opt source               destination         

DROP       all  --  anywhere             192.168.0.0/16      

ACCEPT     all  --  192.168.0.0/16       anywhere            

ACCEPT     all  --  anywhere             192.168.0.0/16      

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

```

Problem solved. I typed in the rules for FTP AFTER setting everything up. It seems that it matters and rules for FTP only work when they are BEFORE DROP rules for ports 0:1023. I'm a dumb a**.

I had no idea. Realized that by putting all the rules in the script(one file and ftp rule just after the rule for ssh)

I'm not worthy;) Thank you!

----------

