What I want to do is to connect to a server A (connected to a public IP) and forward the FTP connexion to server B (Connected to another public IP).

In short:
CLIENT ==>Debian SERVER A===> Debian SERVER B with ProFTPD

Passive FTP uses two ports, 21 that carries the commands and any port from about 30000 to 65000 to transfer data.

When the client reaches the final FTP server (server B) it has the IP of the server A (as the client IP was Nated y server A), the server B answers with the port number to use for data transfer, this answer goes through A server then to the client.... At this moment the client knows what port to use for data transfer and try to connect to this port.

The problem is that the client instead of connecting to the server A that would forward to the server B, it goes directly into the B server which, of course, does not know what it wants as the IP is different from the server A (that Nated the client IP) to which it answered earlier.

How is it possible to have the client connect to the data port through the same path (Client ==>Server ==>A ==> Server B) ?

Does anybody as a solution for that problem?

For your info the server is a Debian Lenny
nf_conntrack and nf_conntrack_ftp are enabled
ip forwarding is enabled too

IPtables are: (the firewall is open when testing)
-A PREROUTING -p tcp -m tcp -d Server A -i eth0 --dport 21 -j DNAT --to-destination Server B
-A POSTROUTING -p tcp -m tcp -o eth0 --dport 21 -j MASQUERADE
-A PREROUTING -p tcp -m tcp -m state --dport 30000:65534 --state RELATED -j DNAT --to-destination Server B:30000-65534
-A POSTROUTING -p tcp -m tcp -m state -o eth0 --dport 30000:65534 --state RELATED -j MASQUERADE

Also for your information, with this configuration, I could make it work perfectly on 2 servers (I have 3 servers on 3 different public network), but one of the server (the one I want it to work!) is not working properly. For example, if I browse the FTP with Firefox it works perfectly. If I use Filezilla it does not browse folders & files. If I use my iPhone FTP application with my Wifi connection it works, if I use the same one with the G3 (telephone) connexion it does not.

Since this server is in a data center I thought that maybe the data center does not have a transparent connexion, so I asked them to verify. But they are sure not to go through firewall, my server is connected directly to Internet.

I have tried all solution, spent several days, this is why I need help...and I thank you from the bottom of my heart in advance.

I think SSH tunneling might work:

Server A (don't run an ftp server let ssh start listeners on the ftp ports)

ssh -L 127.0.0.1:20:127.0.0.1:20 Server-B-IP-Address
ssh -L 127.0.0.1:21:127.0.0.1:21 Server-B-IP-Address

This might not work for passive ftp if it requires a large range of ports.

If it works then there are better ways like stunnel lets you define that configuration in a script.

Thank you very much for your help but my server is a public server I must use standard connexion.

SSH is a standard connection... It's server A making an SSH connection to server B. None of the clients ever touch SSH.

Basically, the SSH daemon on server A listens on ports 20 and 21, and all incoming data on those ports is transparently tunneled to server B's ports 20 and 21 over the SSH tunnel. It's a strictly internal thing (the outside world has no way of knowing SSH is involved), but the problem is that I'm not sure it will actually work.

For one thing, all FTP connections on server B will appear to be from localhost. For another thing, FTP is a really dumb protocol, and I'm not sure if active or passive mode will work. In active mode, the client tells the server where to connect (and I'm not sure if the client will be happy that it asks server A to connect to it, but server B does instead), and in passive mode, the server tells the client where to connect (and I'm not sure the client will be happy to be told to connect to a different IP). I don't know, maybe it would work just fine. I hate FTP and haven't used it in many years for these reasons.

You could try to use iptables:

echo 1 >/proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 21 --to-destination SERVER-B-IP
iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 20 --to-destination SERVER-B-IP
iptables -t nat -A POSTROUTING -p tcp --dport 21 -j MASQUERADE
iptables -t nat -A POSTROUTING -p tcp --dport 20 -j MASQUERADE

For FTP this is a bit more complicated since it utilizes two channels, one for commands (21) and others for passive port connections. The best way to do this is to use a FTP server that has some reverse proxy capabilities built into it. This will allow you to map a virtual directory for a FTP user to another FTP server.

Heres a link that helps explain it in more detail.

http://managedfiletransfer.com/2011/07/07/file-transfers-using-dmz-streaming-and-reverse-proxies.aspx

The above article uses a product named JSCAPE MFT Server.

http://www.jscape.com/products/file-transfer-servers/jscape-mft-server

Dumb question, but couldn't you mount the file system of server B on server A via sshfs or fuse?

_________________
--
Chris Bryant

I will investigate SSH

That's bad design. Sure you could do it or fake it by remote mounting the files from B onto A, or syncing them with rsync or unison but it's still bad design.

If you can get the clients to use the right FTP server instead that would be far better.

I agree but I have no choice, there are 60Gb of images on the last server and I have no room on the server where the URL goes.