[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables, ftp and dnat?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Tommy Bongaerts wrote:
> On Fri, Dec 05, 2008 at 03:30:19PM -0700, Robert L. Harris wrote:
>
>> I've read both of those and understand how the ftp works.  I've
>> spent the last 2 days googling. Unfortunately it's all working
>> now except how to get the iptables data connection in passive
>> mode working.  I can log in, etc just fine but when I do a "ls"
>> after issuing the "passive" command it times out.
>>
>> The second example looks good but doesn't handle the DNAT (the
>> ftp server is running on another machine behind my firewall.
>
> It hangs after ls? Sounds like your data traffic gets jammed
> somehow.
>
> Some things to consider: - did you open up the data port (this is
> control port minus 1)? - did you open some ports for the passive
> connection? - did you tell this to your server? - does the NAT
> machine translate the ftp packets properly?
>
> If you're using proftpd you may try set following directives in the
>  config:
>
> PassivePorts    <range> MasqueradeAddress       <wan IP
> NAT/firewall machine>
>
> I had the exact same problem, and this fixed it for me.
>

I'm not doing any outbound blocking and i'm trying to figure out the
syntax for the data port now.
What I have is a real mess and not working.  In Proftpd I have tried
the PassivePorts but it seems to
be ignored but the Masq directive is being picked up.  I have this in
my config:

# These ports should be safe...
PassivePorts 60000 65535

when I connect I'm getting this on the server side:

{0}:/home/robert>lsof -i -n | grep -i ftp
proftpd     568   nobody    0u  IPv4 447049808       TCP *:ftp (LISTEN)
proftpd     578   robert    0u  IPv4 447049865       TCP
10.1.1.32:ftp->98.244.36.35:41893 (ESTABLISHED)
proftpd     578   robert    1u  IPv4 447049865       TCP
10.1.1.32:ftp->98.244.36.35:41893 (ESTABLISHED)


Can you paste me your data port lines?   If I can get either dynamic
ports working or limited ports, I'll work with
it.

Robert




- --

:wq!
====================================================================
Robert L. Harris                     | GPG Key ID: E344DA3B
                                         @ x-hkp://pgp.mit.edu
DISCLAIMER:
      These are MY OPINIONS             With Dreams To Be A King,
       ALONE.  I speak for              First One Should Be A Man
       no-one else.                       - Manowar

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iD8DBQFJO/5o8+1vMONE2jsRAsW5AJwNag5H7OOmUy0nKbGLNO61hzSHAQCgkFJ8
BESrRruopzd0cd3Li3+ttUo=
=GTph
-----END PGP SIGNATURE-----
Reply to: