Firstly, /etc/firewall.user is for special needs that can't be covered by /etc/config/firewall, you shouldn't use it as a general-purpose rule list.
Secondly, I flashed the exact same build you're using in a spare TL-MR3020 router, and all I needed to do to get FTP working was adding these two rules (10.0.0.2 is the LAN address of the computer running the server):
Code:
iptables -A zone_wan_forward -d 10.0.0.2/32 -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A zone_wan_forward -d 10.0.0.2/32 -p tcp -m tcp --dport 20 -j ACCEPT
The /etc/network/firewall equivalent of that would be as follows, and if you have LuCI installed, you can add them via Network -> Firewall -> Port Forwards.
Code:
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '21'
option dest_ip '10.0.0.2'
option dest_port '21'
option name 'FTP'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '20'
option dest_ip '10.0.0.2'
option dest_port '20'
option name 'FTP data'
If it still doesn't work, make sure you've got the FTP module for netfilter (which does layer 7 NAT and dynamically forwards ports for passive mode) up and running:
Code:
root@OpenWrt:/# lsmod | grep ftp
nf_nat_ftp 976 0
nf_conntrack_ftp 4416 1 nf_nat_ftp
nf_nat 10256 4 nf_nat_irc,nf_nat_ftp,ipt_MASQUERADE,iptable_nat
nf_conntrack 38208 12 nf_nat_irc,nf_conntrack_irc,nf_nat_ftp,nf_conntrack_ftp,ipt_MASQUERADE,iptable_nat,nf_nat,xt_conntrack,xt_CT,xt_NOTRACK,xt_state,nf_conntrack_ipv4
With regards to security, the old advice "only open the ports you really need" is good, and port knocking is an interesting idea to add an extra layer of protection.
Bookmarks