ftp server in passive mode at private subnetwork

Question

I have following configuration:

FTP client (public_IP1) => internet => Firewall(Public_IP2) => FTP server (10.10.12.171)

I have following iptables rules at Firewall:

DNAT        tcp  --  0.0.0.0/0      Public_IP2  tcp dpt:21 to:10.10.12.171
MASQUERADE  all  --  10.0.0.0/8     0.0.0.0/0

I have also nf_conntrack_ftp loaded at Firewall

nf_conntrack_ftp       13057  0 
nf_conntrack           79944  6 nf_conntrack_ftp,nf_conntrack_ipv4,nf_nat,iptable_nat,vzcpt,vzrst

In active mode everything works perfect. In passive mode I have following error (at client):

ftp> passive
Passive mode on.
ftp> dir
227 Entering Passive Mode (10,10,12,171,86,26)
ftp: connect: No route to host

I guess client tends to connect to my private IP (10.10.12.171). How to change it?

No, as far as i know port 20 is used only for active ftp connection — kakabomba, Jul 04 '15 at 21:02
Active VS Passive is less about what ports are used and more about who activates the session. See http://stackoverflow.com/questions/1699145/what-is-the-difference-between-active-and-passive-ftp — Michael Bailey, Jul 04 '15 at 21:31
yes, but port 20 is used ONLY in active mode for data transferring. In passive mode is used some random high-numbered port — kakabomba, Jul 04 '15 at 21:33

score 0 · Accepted Answer · answered Jul 04 '15 at 20:35

0

Your ftp server should be configured, as it's behind NAT. You didn't say what ftp server software you are using, so i will provide required config directive example for proFTPd:

# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
MasqueradeAddress       Public_IP2

answered Jul 04 '15 at 20:35

Andrii Kupchanko

150
6

yes, thanks. That is a solution. I have pure-ftp and relevant configuration stands in /etc/pure-ftpd/conf/ForcePassiveIP. echo Public_IP2 > /etc/pure-ftpd/conf/ForcePassiveIP. But I face another problem. I need to forward also ports for passive connections (listed in /etc/pure-ftpd/conf/PassivePortRange). In my situation I have a lot of FTP servers (they are VZ Containers in fact). So, i need N(containers)*M(simultaneous users per container) IPTable rules. Moreover configurations on each server must be different. Maybe exists simpler way to handle this problem? – kakabomba Jul 04 '15 at 21:23
I suggest to use unique passive ports range on ftp servers, and in addition, on gateway : -A FORWARD -i EXTIF -o INTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT. Replace EXTIF and INTIF with yours. – Andrii Kupchanko Jul 04 '15 at 21:29
Yes, thanks (that what i called "configuration on each server must be different"). Maybe exist some masquerading for ports? I will look for solution and report. Дяк. – kakabomba Jul 04 '15 at 21:31

score 0 · Answer 2 · answered Jul 05 '15 at 00:09

There exist two solutions:

As mention @andrii-kupchanko you can change ftp server configuration. This changes force server to send external IP (Public_IP2) to client as IP for passive backward-connection. Drawback is necessity of forwarding passive connection back to private subnet resident FTP-server (via iptables) and statically binding ports used by passive connections
You just need two modules nf_conntrack_ftp and nf_nat_ftp. Lack of second module is why passive connection to server behind gateway didn't work.

ftp server in passive mode at private subnetwork

2 Answers2