Find the answer to your Linux question:
Results 1 to 3 of 3
Hello. I'm experiencing problems when connecting from the internet to a FTP server running proFTPd which is behind a NAT. This server is in a DMZ. The iptables firewall works ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2008
    Location
    Catalonia
    Posts
    35

    [SOLVED] proFTPD: remote passive mode and problems


    Hello. I'm experiencing problems when connecting from the internet to a FTP server running proFTPd which is behind a NAT.

    This server is in a DMZ. The iptables firewall works properly. I have no problems using it from the local network with both modes passive and active when I don't specify the MasqueradeAddress directive.

    If I specify the MasqueradeAddress directive, then I cannot use passive mode from inside the local network (due to the destination address used, which is private)

    Code:
    227 Entering Passive Mode (a,b,c,d,242,212)
    wher a.b.c.d is my static public IP address, the MasqueradeAddress.

    But, from outside it occurs the same! I do not underestand why. The passive ports range is covering all possibilities: 1024 to 65535.

    I'd like to be able to use both modes from any location.

    Is it possible with proFTPD? I found a pseudo-solution which used a virtual server with no MasqueradeAddress directive, but this doesn't work, gives login errors.

    Other things I don't underestand are the fact that the command SITE_UTIME is not recognized even if is explicitly allowed in proftpd.conf and how can I get rid of the keepalives, I mean, control the disconnection timeout when there is no activity.

    I use inetd, cause I cannot switch to standalone. When I switch to standalone and restart the server, it becomes unreachable.

    Thanks.

  2. #2
    Just Joined!
    Join Date
    Apr 2008
    Location
    Catalonia
    Posts
    35
    Network topology

    Three subnets, three firewall interfaces, one for the local network, the second for the DMZ network (one machine in which the FTP server listens) and the last (which does IP Masquerading) connected direcly to a DSL modem/router which throws all the incoming traffic to the firewall interface to which it is connected.

    NET: Internet, router-firewall subnet
    DMZ: DMZ subnet
    LOC: LAN, local secure subnetwork

    Iptables rules

    Code:
    #!/bin/sh
    
    DMZ="192.168.2.2"
    
    INET="eth0"
    IDMZ="eth1"
    ILOC="eth2"
    
    # Rang ports efimers FTP
    pti="1024"
    ptf="65535"
    
    echo Carregant moduls necessaris
    
    modprobe ip_conntrack_ftp
    modprobe ip_nat_ftp
    
    echo Esborrant normativa actual
    
    iptables -F
    iptables -X
    iptables -Z
    iptables -t nat -F
    
    echo Establint politica de denegacio per defecte
    
    iptables -P INPUT DROP	
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP
    iptables -t nat -P PREROUTING DROP
    iptables -t nat -P POSTROUTING DROP
    
    echo Establint les ordres de forwarding generals
    
    # Activacio del bit de FORWARDING
    sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
    
    # Prerouting
    
    iptables -t nat -A PREROUTING -i $IDMZ -j ACCEPT
    iptables -t nat -A PREROUTING -i $ILOC -j ACCEPT
    
    # Postrouting
    
    iptables -t nat -A POSTROUTING -o $INET -j MASQUERADE
    iptables -t nat -A POSTROUTING -o $IDMZ -j ACCEPT
    iptables -t nat -A POSTROUTING -o $ILOC -j ACCEPT
    
    echo Habilitant connexions locals
    
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    echo Configurant NET-DMZ
    
    # Permet servei remot FTP
    iptables -t nat -A PREROUTING -i $INET -p tcp --dport 21 -j DNAT --to-destination $DMZ:21
    
    # Control
    iptables -A FORWARD -i $INET -o $IDMZ -m state --state NEW,ESTABLISHED -p tcp --sport $pti:$ptf --dport 21 -j ACCEPT
    iptables -A FORWARD -i $IDMZ -o $INET -m state --state ESTABLISHED -p tcp --sport 21 --dport $pti:$ptf -j ACCEPT 
    
    # Dades-actiu
    iptables -A FORWARD -i $INET -o $IDMZ -m state --state ESTABLISHED -p tcp --sport $pti:$ptf --dport 20 -j ACCEPT
    iptables -A FORWARD -i $IDMZ -o $INET -m state --state ESTABLISHED,RELATED -p tcp --sport 20 --dport $pti:$ptf -j ACCEPT  
    
    # Dades-passiu
    iptables -A FORWARD -i $INET -o $IDMZ -m state --state ESTABLISHED,RELATED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT
    iptables -A FORWARD -i $IDMZ -o $INET -m state --state ESTABLISHED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT 
    
    echo Configurant DMZ-LOC
    
    # Permet FTP
    
    # Control
    iptables -A FORWARD -i $ILOC -o $IDMZ -m state --state NEW,ESTABLISHED -p tcp --sport $pti:$ptf --dport 21 -j ACCEPT
    iptables -A FORWARD -i $IDMZ -o $ILOC -m state --state ESTABLISHED -p tcp --sport 21 --dport $pti:$ptf -j ACCEPT
    
    # Dades-actiu
    iptables -A FORWARD -i $ILOC -o $IDMZ -m state --state ESTABLISHED -p tcp --sport $pti:$ptf --dport 20 -j ACCEPT
    iptables -A FORWARD -i $IDMZ -o $ILOC -m state --state ESTABLISHED,RELATED -p tcp --sport 20 --dport $pti:$ptf -j ACCEPT
    
    # Dades-passiu
    iptables -A FORWARD -i $ILOC -o $IDMZ -m state --state ESTABLISHED,RELATED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT
    iptables -A FORWARD -i $IDMZ -o $ILOC -m state --state ESTABLISHED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT
    Sorry for the comments language, catalan, it's easy to underestand within context, key

    servei remot = remote service
    permet = allow
    dades = data
    efimer = ephimeral
    passiu, actiu = trivial, trivial...

    the problem persists, ask for any data you may need
    thanksss

  3. #3
    Just Joined!
    Join Date
    Apr 2008
    Location
    Catalonia
    Posts
    35
    Here I give the solution I found.

    It must be allowed RELATED outbound connections for the passive data transfers:

    Code:
    # Dades-passiu
    iptables -A FORWARD -i $INET -o $IDMZ -m state --state ESTABLISHED,RELATED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT
    iptables -A FORWARD -i $IDMZ -o $INET -m state --state ESTABLISHED,RELATED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT
    And specify no MasqueradeAddress.

    I continue having problems with standalone proFTPD server mode. When I switch to it, the server seems to restart itself normally, but remotely is unreachable.

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •