Well, let’s imagine rather trivial situation: you have Linux router connected to Internet via e.g. ADSL modem and some local network comprising several computers and servers connected to that router via switches and/or Wi-Fi access points.

Done? Ok.

There is one public IP assigned to WAN interface of the router while FTP server (of course run by Linux as well) has IP something like or 172.16.*.* or 10.*.*.*. Moreover you want to allow people to access your FTP from every corner of Internet… So, there are several ways how to apply this but let’s talk about how to achieve this by means of using port forwarding feature that is available in any router’s functions list.

So, let’s say we have the following configuration:

Internet <-> [a] router [b] <-> [c] FTP server

[a] is WAN interface with (just an example) IP assigned to it, [b] is NIC with and [c] is server’s interface with IP All what we need is that users from Internet can access FTP server using IP and default 21 TCP port.

One of the main problems is that passive mode of FTP service uses any port from range 1024 to 65535 so it’s not enough to forward 21/20 ports to FTP server and let the ball rolling. So, go to servers’ CLI and open configuration file of an FTP service. It would be vsftpd, proftpd whatever. Let’s say we have vsftpd so we have to add the following lines to /etc/vsftpd.conf:


When changes are saved restart vsftpd server.

Now access router’s CLI and type the following:

iptables -t nat -I PREROUTING -d -p tcp -m tcp --dport 21 -j DNAT --to-destination
iptables -t nat -I PREROUTING -d -p tcp -m tcp --dport 12000:13000 -j DNAT --to-destination

This will add netfilter port forwarding rules which will redirect traffic coming at routers’ public IP through 21 TCP port to FTP server and will properly handle passive FTP mode.

Wuala – it’s a finish.




  1. December 22, 2008  12:47 pm by Sergey Gotsulyak Reply

    We maintain special Linux distro to quick deploy of firewall/router/gateway software appliance. It's commercial, but if you are interested, visit www.idecogateway.com

  2. March 24, 2009  5:41 am by nick192 Reply

    hi..thx for this topic. i wanted this1. now can u help me following structure? i want to know whether it is possible or not.

    Internet [a-eth0] linux as a router [b-eth1 as HTTP][c-eth2 FTP]

    a: wan ip: xxx.xxx.xxx.20

    b: live/public ip that i own: xxx.xxx.xxx.40

    c: live/public ip that i own: xxx.xxx.xxx.41

    now i want to access http and ftp servers from their own live ip adresses, like:

  3. December 2, 2009  11:05 am by sex shop internet Reply

    Thanks for sharing, i am seeing here different commands also thanks for sharing. I should just give up and take lessons from you

  4. April 6, 2010  11:47 pm by Andrew Pelt Reply

    Blogs RSS feed is not work in my browser (google chrome) how can I repair it?

  5. October 25, 2010  8:20 pm by Christy Scotton Reply

    What a suberb blog post you wrote. Good share. But I am having difficulty with this RSS. I could'n to subscribe. Is there any one else experiencing similar issue with your rss?

  6. April 23, 2011  12:35 am by Organo Gold Reply

    What a good article! I'd love more information.

Leave a reply


Your email address will not be published.