bsquirle Posted May 24, 2011 Share Posted May 24, 2011 Hi, Here's a description of the situation: I have a linux box sitting in front of my FTP server, the linux box in itself is a standard CentOS setup which runs some other services. It does also provide internet access to the private network behind the box. Now what I want to do is forward the ftp port, I've succeeded in using my FTP server using the active FTP mode, but as soon as I try to switch over to passive mode the connections halts and drops. I've heard about ip_conntrack_ftp modules, they are loaded, tried defining passive port ranges and forwarding these (did not succeed, but might have been an error in the config). Here is the basic NAT configuration: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth0 -o eth2 -m state ?state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth2 -o eth0 ?source 192.168.0.1 -j ACCEPT iptables -A FORWARD -i eth2 -o eth0 -j REJECT As you can see eth0 is the public net, eth2 is the private net. Actually there is still some firewalling device before the linux box, so security is not to much of an issue. (I actually just need the nat since I need to use the ip of the linux box. But the actual linux box needs to stay on-line for other services.) I succeeded in enabling active FTP using: iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 20 Any ideas how I could enable passive FTP in this configuration? Link to comment Share on other sites More sharing options...
sc302 Veteran Posted May 24, 2011 Veteran Share Posted May 24, 2011 http://slacksite.com/other/ftp.html you need to understande the difference between active and passive. They don't use the same data ports. Port21 is the common, however there is a rance that needs to be opend for your passive. Link to comment Share on other sites More sharing options...
bsquirle Posted May 24, 2011 Author Share Posted May 24, 2011 So normally if I forward the ports 21 & 30000-31000 to my ftp server, then specify 30000-31000 as the passive ports I should be able to connect, right? Somehow this didn't work, might be the rules, I'll try again. Iptables is making me pull my hear out... Link to comment Share on other sites More sharing options...
+BudMan MVC Posted May 24, 2011 MVC Share Posted May 24, 2011 You mention "Actually there is still some firewalling device before the linux box" How do you know this is not the issue? Is this device in front of the linux box doing nat? I would suggest you use a ftp client that will show you the actual logs so you can view the port and or pasv commands being sent, to see what IP and ports are being used. So for example here is active connection to my webhost ftp Status: Resolving address of snipped.net Status: Connecting to 173.236.xx.xx:21... Status: Connection established, waiting for welcome message... Response: 220 DreamHost FTP Server Command: USER <snipped> Response: 331 Password required for <snipped> Command: PASS ******** Response: 230 User <snipped> logged in Command: SYST Response: 215 UNIX Type: L8 Command: FEAT Response: 211-Features: Response: LANG en Response: MDTM Response: UTF8 Response: REST STREAM Response: SIZE Response: 211 End Command: OPTS UTF8 ON Response: 200 UTF8 set to on Status: Connected Status: Retrieving directory listing... Command: PWD Response: 257 "/" is the current directory Command: TYPE I Response: 200 Type set to I Command: PORT 192,168,1,100,105,115 Response: 200 PORT command successful Command: LIST Response: 150 Opening ASCII mode data connection for file list Response: 226 Transfer complete Notice the port command PORT 192,168,1,100,105,115 Tells the server to connect back to me on IP address 192.168.1.100 on port 105*256+115 = 26995 Now my router with a ftp helper converts that private IP my client sends to the server into public IP or it would never in a million years work - since it would be impossible for the server to connect to a private 192.168 address. Now in a passive setup you see a command like this Command: PASV Response: 227 Entering Passive Mode (173,236,xxx,xxx,193,49). Command: LIST Same sort of thing - but the server is telling my client to connect to his IP on that port 193*256+49 = 49457 Moving through double nats, problems with ftp helpers, etc. can all cause you grief.. Understanding exactly what is going on is the key to how to correctly setup the ftp server and what rules you need in place on any firewalls or nat routers. Also you need to know if there is any sort of ftp helper in place on the nat routers. And are you running through a double nat?? You can view ftp helper at work by sniffing the traffic on the nat router.. So for example I will capture traffic on my router while I make a active connection and watch the router change the IP in the command. So made a new connection and you see this port command Command: PORT 192,168,1,100,105,160 Response: 200 PORT command successful Command: LIST So thats port 105*256+160 But in the wan side of my firewall you see it changed the IP from 192.168.1.100 to my public IP of 24.13.snipped.snipped but still left the port command at 105,160 Before you get all worked up about what iptables rules to put in place - I would suggest we dive a bit more into your setup and that other firewall you say is in front of the centos box you have doing nat, etc. But then again if you have ACTIVE FTP working - what does it matter, just have your clients that need access to your ftp server use active! Or better yet you might want to move to something a bit more secure like SFTP.. Now you only have to worry about 1 port, the port your SSH server is listening on.. And like you see in the above capture with standard ftp everything is sent in the CLEAR!! Link to comment Share on other sites More sharing options...
bsquirle Posted May 25, 2011 Author Share Posted May 25, 2011 The device in from of the CentOS box is doing nat, routing and firewalling. I know this not an issue since FTP to the CentOS box itself works perfectly (ran it as a test). The solution to this problem was rather stupid, I had to force the ip for the passive connections in the FTP configuration to the ip of the centos box. It seems like iptables did not replace this ip (problem with the helper?). From there on everything runs fine, the Cisco device in front of it does inspect the FTP traffic and changes the passive ip correctly. iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.1:21 iptables -t nat -A PREROUTING -p tcp -i eth0 -m multiport --destination-ports 30000:31000 -j DNAT --to-destination 192.168.0.1:30000-31000 (Passive ports are configured to be between 30000 and 31000.) Why I couldn't use active ftp or sftp? Since this is replacing an existing service and has to be 100% compatible with legacy applications. Personally I would have preferred to let the client applications connect directly to the FTP server, but this was not an option. Link to comment Share on other sites More sharing options...
Recommended Posts