1

I have 2 servers, one as gateway/router, the other one as server. I use iptables to port forward the following ports: 21, 20, 65500-65600. When I connect with Filezilla or Total Commander, the ftp client knows that 10.10.0.1 represents an internal IP address and switches to the external IP address. However, the NPPftp plugin from Notepad++ connects to the server, but when it switches to passive mode, it tries the internal IP address and freezes.

Output:

220 ProFTPD x.x.x Server [10.10.0.1]
-> USER www  
331 Password required for www
-> PASS *HIDDEN*
230 User www logged in
-> TYPE A  
200 Type set to A
-> MODE S  
200 Mode set to S
-> STRU F  
200 Structure set to F
-> PWD  
257 "/" is the current directory
Connected
-> CWD /  
250 CWD command successful
-> PASV  
227 Entering Passive Mode (10,10,0,1,255,222).
-> LIST -al  
Failure retrieving contents of directory /

Is there a way to return the external IP address for the passive ports from iptables?

masegaloeh
  • 18,236
  • 10
  • 57
  • 106
machineaddict
  • 159
  • 2
  • 3
  • 12

2 Answers2

3

From doc http://www.proftpd.org/docs/howto/NAT.html, thereis a MasqueradeAddress address to use, and you are to define the range of ports to allow (or use the conntrack_ftp module like MadHatter said)

Dom
  • 6,743
  • 1
  • 20
  • 24
  • I know this is years old by now, but both WAN and LAN traffic are connecting to 192.168.0.4 (the IP address of the FTP server) because WAN traffic is routed there via the firewall. How does `MasqueradeAddress` help in this situation? Either WAN will work or LAN will - not both. I think the solution in the case where the FTP server only has 1 IP address is by using `mod_ifsession` to define `from` classes per the link you provided. – Lifz Sep 08 '17 at 15:43
  • You are right, but you can also use the NAT hair pin and use the external IP to connect and MasqueradeAddress. It was not specified that the server must be connected from internal and external network, so my solution was valid. – Dom Sep 09 '17 at 13:27
  • Can you expound on how to "use the NAT hair pin and use the external IP to connect"? I can ask a new question if you like so you can get points for that. You're right, your solution was valid, I was just asking a question. I got it worked out over here but not the way I want to (used a non-standard port, which I dislike): https://serverfault.com/questions/872720/proftpd-server-behind-firewall-returns-internal-ip-address-for-wan-and-lan-conne – Lifz Sep 09 '17 at 16:39
  • The hairpin in NAT: The client is connected to the server by using the external NAT IP. The NAT is done by the router to the server with translation, so the server answer to the router, which resend to the client after decapsulation. This feature is not allowed on all the NAT routers but should really be a must have. This is hairpin from internal to internal network – Dom Sep 11 '17 at 18:34
  • Ah, ok that's just normal NAT using our Linux firewall from what I understand. That sends packets to the ftp server using the internal address so it still can't tell it's external traffic. Thanks though! – Lifz Sep 12 '17 at 12:12
0

In new versions you don't need any masquerading. For Active and Passive transfer possibility you need on client and server side open next ports:

  • IN: TCP 20,21,60000-65535
  • OUT: TCP 20,21,60000-65535

Then update FTP to use passive port range 60000-65535. Then on client side use Passive mode (in case NATed IP) other wise Active will work as well. Details and instruction - http://sysadm.pp.ua/linux/proftpd-ubuntu-16-04.html

uoulong
  • 1