[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Redirecting passive FTP



Ola,

Lars a écrit :

I'm having trouble with redirecting the trafic to my ftp-server. The
problem only exist when dealing with passive traffic/ connection in the
high portnumbers.

That's a well-known problem, as common as redirecting active mode data traffic to an FTP client behind a NAT.

So i would be very please if anyone will write thos few
lines for me..

All connections enters at: 10.0.0.2 / eth0 / $WAN_IP
FTP-server ip-address is: 172.16.0.49 / $PUBLIC
Pure-ftpd's Passive Port Range is: 37000 38000

*The easy way*
On the firewall/NAT box, load the FTP helper modules 'ip_conntrack_ftp' and 'ip_nat_ftp'. They will monitor FTP control connections and take care of FTP data traffic either in active or passive mode. The first packet of a data connection will be seen in the RELATED state. Limit : it won't work when FTP control connections are encrypted with TLS/SSL.

NAT box setup :

# load FTP conntrack & NAT helper modules
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
# redirect incoming FTP control connections
iptables -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 21 \
  -j DNAT --to $PUBLIC
# accept established and related traffic such as FTP data
iptables -A FORWARD -m state RELATED,ESTABLISHED -j ACCEPT
# accept new FTP control connections
iptables -A FORWARD -m state NEW -p tcp --dport 21 -d $PUBLIC -j ACCEPT


*The hard way* (hurt me plenty)
- restrict the passive mode port range in the server setup,
- redirect and accept that range on the NAT box to the server,
- force the public IP address used in PASV replies in the server setup.

NAT box setup : (assuming outgoing traffic is accepted)

# redirect incoming FTP control connections
iptables -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 21 \
  -j DNAT --to $PUBLIC
# accept incoming FTP control connections
iptables -A FORWARD -p tcp --dport 21 -d $PUBLIC -j ACCEPT
# accept return traffic on active FTP data connections
iptables -A FORWARD -p tcp --dport 20 -d $PUBLIC -j ACCEPT
# accept FTP data passive connections
iptables -A FORWARD -p tcp --dport 37000:38000 -d $PUBLIC -j ACCEPT

Note : no need to redirect port 20 used by active FTP data connections, these are outgoing connections from the server, which are managed by the usual SNAT or MASQUERADE rule.

pure-ftpd options :

 -p|--passiveportrange 37000:38000
 -P|--forcepassiveip $WAN_IP



Reply to: