0

I have 4 web servers for different tasks, behind a firewall. I have a single public IP and I want to connect to my servers with FTP with this IP. I tried to use a different port but no results.

So my question is: is it possible to have a proxy (like apache in http) wich can redirect on the right server (with the url, the port or the username it doesn't matter).

Thanks a lot for your answers

PS: All my servers are on Debian 7

MadHatter
  • 79,770
  • 20
  • 184
  • 232
Tartempion34
  • 143
  • 3
  • When you say "*I tried to use a different port but no results*", could you be more specific? That ought to work, given the right client. – MadHatter Jul 10 '14 at 07:20
  • Thanks for your comment. When I say "I tried to use a different port" I want to say that I have write a portforwarding rule in my firewall (port 21-22 for a server, 221-222 for the second and 321-322 for the third) But it's not working. – Tartempion34 Jul 10 '14 at 07:25
  • this is the right track. You would do either of 2 methods: port-forward as you did, and change the settings on the server. or forward 221-222 to 21-22 on second server. with second approach you dont need to change the ftp server settings. – Dennis Nolte Jul 10 '14 at 07:29
  • Okay so If I understand, I have to do this with different port by server, it's not possible to do this with a username checking. Maybe I have fail my ProFTPD configuration. If I remember, FTP use ports 21 and 22 for connect but the package pass threw other ports (like 5523 etc). Have I to redirect some other ports? Thanks a lot for your answers – Tartempion34 Jul 10 '14 at 07:32

2 Answers2

3

Simply put, no. HHTP sends the hostname with each request, which is why things like name based virtual hosting work.

FTP does not, making it impossible to distinguish if an incoming FTP connection is to FTP.example.com or to f.i. FTP.example.net

HBruijn
  • 77,029
  • 24
  • 135
  • 201
2

You can select 4 different ports for each one of your FTP servers, for example 2112,2113,2114,2115 and then create port forwarding (NAT) rules in your firewall like so:

iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 2112 -j DNAT --to 192.168.1.2:21
iptables -A FORWARD -p tcp -m state --state NEW --dport 2112 -i eth1 -j ACCEPT

iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 2113 -j DNAT --to 192.168.1.3:21
iptables -A FORWARD -p tcp -m state --state NEW --dport 2113 -i eth1 -j ACCEPT

iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 2114 -j DNAT --to 192.168.1.4:21
iptables -A FORWARD -p tcp -m state --state NEW --dport 2114 -i eth1 -j ACCEPT

iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 2115 -j DNAT --to 192.168.1.5:21
iptables -A FORWARD -p tcp -m state --state NEW --dport 2115 -i eth1 -j ACCEPT

In this way, the incoming ftp connections will be redirected based on the port used to the correct servers.

Itai Ganot
  • 10,644
  • 29
  • 93
  • 146