FTP through NAT
I am looking for a new angle.
I have a web server which is inside my DMZ, the DMZ, yellow zone, is off a 3rd nic of the NAT.
I am using vsftp with no anonymous.
I need to give access to a couple of individuals for file storage.
I can connect from inside by command line and using FireFTP with FireFox. That is want I want to set up for the user.
When I try to connect from outside, I can connect from command line fine. When I use FireFox / FireFTP,
220 "Welcome to the ........ Web FTP service."
331 Please specify the password.
PASS (password not shown)
230 Login successful.
250 Directory successfully changed.
200 Switching to ASCII mode.
FireFTP is set to binary upload and download and vsftp is not open to ascii. I tried openning ascii for a test, no luck. Still it works from internal.
When I use iptraf on the NAT I see the connections and transfer in both directions.
I am using different machines from there and home.
I must redirect the outside connection in the nat prerouting tables.
That is all I can see different between locations.
I use Suse. As another test, I just tried from my wife's computer, Windows command line, it logs in but then locks when I try to get a directory.
What am I missing?
Is ip_conntrack_ftp loaded?
You can do a Google search for FTP and passive mode. To use passive mode through a NAT'ed firewall, you will need to specify the range of ports used by vsftpd for passive mode and then forward these ports through the firewall to the vsftpd machine.
Thank you very much for the help and lead. I was able to find more out.
It works now.
I found another post that said ip_nat_ftp also needs to be loaded.
I will add these to my firewall script.
It bothers me some to open to ftp up. I don't have a lot of time to spend monitoring.
I want to set up tls and maybe mac address match the individual that needs this set-up.
If I may ask, lsmod | grep -i ip_conntrack_ftp does not show it loaded after I
modprobe ip_conntrack_ftp. What else might I be missing?
I am using Suse 11.0 / 32 minimal graphics ( not near good enough to go shell only - yet )
Thank you again for your time