I have a big problem. Let me explain. I have configured two machines, one called "fw" that is the firewall and the other one connected to this one called "server", both are Debian 10 buster systems. The fw machine uses iptables to masquerade the IP. "Public IP": 88.20.100.2, local range: 192.168.150.0/24
This is the configuration of my FTP server, vsftpd to have passive mode
pasv_enable=Yes
pasv_max_port=2000
pasv_min_port=1000
pasv_address=88.20.100.2
Anythin special. It works if I have this iptables enabled on the firewall (enp0s9 = internet, enp0s3 = LAN)
iptables -P FORWARD DROP
iptables -A FORWARD -p tcp --dport 21 -i enp0s9 -o enp0s3 -d 192.168.150.98 -j ACCEPT
iptables -A FORWARD -p tcp --sport 21 -i enp0s3 -o enp0s9 -s 192.168.150.98 -j ACCEPT
iptables -A FORWARD -p tcp --dport 1000:2000 -d 192.168.150.98 -i enp0s9 -o enp0s3 -j ACCEPT
iptables -A FORWARD -p tcp --sport 1000:2000 -s 192.168.150.98 -i enp0s3 -o enp0s9 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o enp0s9 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to-destination 192.168.150.98:21
iptables -t nat -A PREROUTING -p tcp --destination-port 1000:2000 -j DNAT --to-destination 192.168.150.98
My problem is that I want to be able to open the 1000:2000 ports only when the connection es related to the FTP server, not always. I have tried with -m state and -m conntrack but I guess I made something wrong. Any idea? Thanks
