Re: Redirecting passive FTP
Ola,
Lars a écrit :
I'm having trouble with redirecting the trafic to my ftp-server. The
problem only exist when dealing with passive traffic/ connection in the
high portnumbers.
That's a well-known problem, as common as redirecting active mode data
traffic to an FTP client behind a NAT.
So i would be very please if anyone will write thos few
lines for me..
All connections enters at: 10.0.0.2 / eth0 / $WAN_IP
FTP-server ip-address is: 172.16.0.49 / $PUBLIC
Pure-ftpd's Passive Port Range is: 37000 38000
*The easy way*
On the firewall/NAT box, load the FTP helper modules 'ip_conntrack_ftp'
and 'ip_nat_ftp'. They will monitor FTP control connections and take
care of FTP data traffic either in active or passive mode. The first
packet of a data connection will be seen in the RELATED state.
Limit : it won't work when FTP control connections are encrypted with
TLS/SSL.
NAT box setup :
# load FTP conntrack & NAT helper modules
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
# redirect incoming FTP control connections
iptables -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 21 \
-j DNAT --to $PUBLIC
# accept established and related traffic such as FTP data
iptables -A FORWARD -m state RELATED,ESTABLISHED -j ACCEPT
# accept new FTP control connections
iptables -A FORWARD -m state NEW -p tcp --dport 21 -d $PUBLIC -j ACCEPT
*The hard way* (hurt me plenty)
- restrict the passive mode port range in the server setup,
- redirect and accept that range on the NAT box to the server,
- force the public IP address used in PASV replies in the server setup.
NAT box setup : (assuming outgoing traffic is accepted)
# redirect incoming FTP control connections
iptables -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 21 \
-j DNAT --to $PUBLIC
# accept incoming FTP control connections
iptables -A FORWARD -p tcp --dport 21 -d $PUBLIC -j ACCEPT
# accept return traffic on active FTP data connections
iptables -A FORWARD -p tcp --dport 20 -d $PUBLIC -j ACCEPT
# accept FTP data passive connections
iptables -A FORWARD -p tcp --dport 37000:38000 -d $PUBLIC -j ACCEPT
Note : no need to redirect port 20 used by active FTP data connections,
these are outgoing connections from the server, which are managed by the
usual SNAT or MASQUERADE rule.
pure-ftpd options :
-p|--passiveportrange 37000:38000
-P|--forcepassiveip $WAN_IP
Reply to: