Find the answer to your Linux question:
Results 1 to 4 of 4
I am looking for a new angle. I have a web server which is inside my DMZ, the DMZ, yellow zone, is off a 3rd nic of the NAT. I ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined! Kumado's Avatar
    Join Date
    Jul 2006
    Posts
    81

    FTP through NAT


    I am looking for a new angle.

    I have a web server which is inside my DMZ, the DMZ, yellow zone, is off a 3rd nic of the NAT.
    I am using vsftp with no anonymous.
    I need to give access to a couple of individuals for file storage.
    I can connect from inside by command line and using FireFTP with FireFox. That is want I want to set up for the user.
    When I try to connect from outside, I can connect from command line fine. When I use FireFox / FireFTP,

    220 "Welcome to the ........ Web FTP service."
    USER xxxxxxx
    331 Please specify the password.
    PASS (password not shown)
    230 Login successful.
    CWD /
    250 Directory successfully changed.
    TYPE A
    200 Switching to ASCII mode.
    PASV

    FireFTP is set to binary upload and download and vsftp is not open to ascii. I tried openning ascii for a test, no luck. Still it works from internal.
    When I use iptraf on the NAT I see the connections and transfer in both directions.
    I am using different machines from there and home.
    I must redirect the outside connection in the nat prerouting tables.
    That is all I can see different between locations.

    I use Suse. As another test, I just tried from my wife's computer, Windows command line, it logs in but then locks when I try to get a directory.

    What am I missing?

    thanks

    Kumado

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Is ip_conntrack_ftp loaded?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,756
    You can do a Google search for FTP and passive mode. To use passive mode through a NAT'ed firewall, you will need to specify the range of ports used by vsftpd for passive mode and then forward these ports through the firewall to the vsftpd machine.

  4. #4
    Just Joined! Kumado's Avatar
    Join Date
    Jul 2006
    Posts
    81
    Thank you very much for the help and lead. I was able to find more out.

    It works now.

    I found another post that said ip_nat_ftp also needs to be loaded.
    I will add these to my firewall script.
    It bothers me some to open to ftp up. I don't have a lot of time to spend monitoring.
    I want to set up tls and maybe mac address match the individual that needs this set-up.

    If I may ask, lsmod | grep -i ip_conntrack_ftp does not show it loaded after I
    modprobe ip_conntrack_ftp. What else might I be missing?

    I am using Suse 11.0 / 32 minimal graphics ( not near good enough to go shell only - yet )

    Thank you again for your time

    kumado

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •