Results 1 to 3 of 3
Hello. I'm experiencing problems when connecting from the internet to a FTP server running proFTPd which is behind a NAT.
This server is in a DMZ. The iptables firewall works ...
- 05-04-2008 #1Just Joined!
- Join Date
- Apr 2008
- Location
- Catalonia
- Posts
- 29
[SOLVED] proFTPD: remote passive mode and problems
Hello. I'm experiencing problems when connecting from the internet to a FTP server running proFTPd which is behind a NAT.
This server is in a DMZ. The iptables firewall works properly. I have no problems using it from the local network with both modes passive and active when I don't specify the MasqueradeAddress directive.
If I specify the MasqueradeAddress directive, then I cannot use passive mode from inside the local network (due to the destination address used, which is private)
wher a.b.c.d is my static public IP address, the MasqueradeAddress.Code:227 Entering Passive Mode (a,b,c,d,242,212)
But, from outside it occurs the same! I do not underestand why. The passive ports range is covering all possibilities: 1024 to 65535.
I'd like to be able to use both modes from any location.
Is it possible with proFTPD? I found a pseudo-solution which used a virtual server with no MasqueradeAddress directive, but this doesn't work, gives login errors.
Other things I don't underestand are the fact that the command SITE_UTIME is not recognized even if is explicitly allowed in proftpd.conf and how can I get rid of the keepalives, I mean, control the disconnection timeout when there is no activity.
I use inetd, cause I cannot switch to standalone. When I switch to standalone and restart the server, it becomes unreachable.
Thanks.
- 05-09-2008 #2Just Joined!
- Join Date
- Apr 2008
- Location
- Catalonia
- Posts
- 29
Network topology
Three subnets, three firewall interfaces, one for the local network, the second for the DMZ network (one machine in which the FTP server listens) and the last (which does IP Masquerading) connected direcly to a DSL modem/router which throws all the incoming traffic to the firewall interface to which it is connected.
NET: Internet, router-firewall subnet
DMZ: DMZ subnet
LOC: LAN, local secure subnetwork
Iptables rules
Sorry for the comments language, catalan, it's easy to underestand within context, keyCode:#!/bin/sh DMZ="192.168.2.2" INET="eth0" IDMZ="eth1" ILOC="eth2" # Rang ports efimers FTP pti="1024" ptf="65535" echo Carregant moduls necessaris modprobe ip_conntrack_ftp modprobe ip_nat_ftp echo Esborrant normativa actual iptables -F iptables -X iptables -Z iptables -t nat -F echo Establint politica de denegacio per defecte iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -t nat -P PREROUTING DROP iptables -t nat -P POSTROUTING DROP echo Establint les ordres de forwarding generals # Activacio del bit de FORWARDING sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward" # Prerouting iptables -t nat -A PREROUTING -i $IDMZ -j ACCEPT iptables -t nat -A PREROUTING -i $ILOC -j ACCEPT # Postrouting iptables -t nat -A POSTROUTING -o $INET -j MASQUERADE iptables -t nat -A POSTROUTING -o $IDMZ -j ACCEPT iptables -t nat -A POSTROUTING -o $ILOC -j ACCEPT echo Habilitant connexions locals iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT echo Configurant NET-DMZ # Permet servei remot FTP iptables -t nat -A PREROUTING -i $INET -p tcp --dport 21 -j DNAT --to-destination $DMZ:21 # Control iptables -A FORWARD -i $INET -o $IDMZ -m state --state NEW,ESTABLISHED -p tcp --sport $pti:$ptf --dport 21 -j ACCEPT iptables -A FORWARD -i $IDMZ -o $INET -m state --state ESTABLISHED -p tcp --sport 21 --dport $pti:$ptf -j ACCEPT # Dades-actiu iptables -A FORWARD -i $INET -o $IDMZ -m state --state ESTABLISHED -p tcp --sport $pti:$ptf --dport 20 -j ACCEPT iptables -A FORWARD -i $IDMZ -o $INET -m state --state ESTABLISHED,RELATED -p tcp --sport 20 --dport $pti:$ptf -j ACCEPT # Dades-passiu iptables -A FORWARD -i $INET -o $IDMZ -m state --state ESTABLISHED,RELATED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT iptables -A FORWARD -i $IDMZ -o $INET -m state --state ESTABLISHED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT echo Configurant DMZ-LOC # Permet FTP # Control iptables -A FORWARD -i $ILOC -o $IDMZ -m state --state NEW,ESTABLISHED -p tcp --sport $pti:$ptf --dport 21 -j ACCEPT iptables -A FORWARD -i $IDMZ -o $ILOC -m state --state ESTABLISHED -p tcp --sport 21 --dport $pti:$ptf -j ACCEPT # Dades-actiu iptables -A FORWARD -i $ILOC -o $IDMZ -m state --state ESTABLISHED -p tcp --sport $pti:$ptf --dport 20 -j ACCEPT iptables -A FORWARD -i $IDMZ -o $ILOC -m state --state ESTABLISHED,RELATED -p tcp --sport 20 --dport $pti:$ptf -j ACCEPT # Dades-passiu iptables -A FORWARD -i $ILOC -o $IDMZ -m state --state ESTABLISHED,RELATED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT iptables -A FORWARD -i $IDMZ -o $ILOC -m state --state ESTABLISHED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT
servei remot = remote service
permet = allow
dades = data
efimer = ephimeral
passiu, actiu = trivial, trivial...
the problem persists, ask for any data you may need
thanksss
- 05-28-2008 #3Just Joined!
- Join Date
- Apr 2008
- Location
- Catalonia
- Posts
- 29
Here I give the solution I found.
It must be allowed RELATED outbound connections for the passive data transfers:
And specify no MasqueradeAddress.Code:# Dades-passiu iptables -A FORWARD -i $INET -o $IDMZ -m state --state ESTABLISHED,RELATED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT iptables -A FORWARD -i $IDMZ -o $INET -m state --state ESTABLISHED,RELATED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT
I continue having problems with standalone proFTPD server mode. When I switch to it, the server seems to restart itself normally, but remotely is unreachable.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts