1

I'm using ProFTPD on a Debian server behind another Debian firewall. I can connect to the ftp server from the outside. However, the virtual host that gets chosen is always 192.168.0.4 regardless of WAN or LAN connections. This causes an issue when entering PASV mode when the ftp server responds with the internal IP address to WAN connections.

I know there is a MasqueradeAddress directive for WAN connectoins but my WAN connections are connecting to my internal virtual host.

Since there is only 1 IP address on the FTP server, do I need to use the mod_ifsession module as described here: http://www.proftpd.org/docs/howto/NAT.html?

Lifz
  • 203
  • 1
  • 2
  • 8
  • How can your WAN connections be connecting to the RFC 1918 192.168.0.4 address? The only way that is possible is if those connections are being forwarded through something else. And that something else can probably be made to forward connections to a different address (or port) on your FTP server, for which you can configure a separate `` section which uses the `MasqueradeAddress` directive. – Castaglia Sep 08 '17 at 16:14
  • I'm sorry I guess I thought it was implied but I didn't expclicty say that I am forwarding FTP connections (using IPTables) from the firewall to the FTP server. So you think I should change the FTP server's `` port from the default 21 to say, 2121 and forward 2121 from the firewall to the FTP server? – Lifz Sep 08 '17 at 16:27
  • The thing is, I don't want our clients to have to use a different port depending on whether they're inside or outside of the network. Ideally (is this possible?) I want ProFTPD to know "this is a WAN connection, send them the external IP" and the same for LAN sending the internal IP. – Lifz Sep 08 '17 at 16:37

1 Answers1

2

In the original question, I asked if I have to use the mod_ifsession module. So far, that is the only way I can get it to work. Maybe that's expected but I was hoping to use a <VirtualHost> block to get it working.

Here is what I did:

<IfModule mod_ifsession.c>
  <Class internal>
    From 192.168.0.0/24
  </Class>

  <IfClass !internal>
    MasqueradeAddress 1.2.3.4
  </IfClass>
</IfModule>

Using that, incoming LAN connections get the internal IP (192.168.0.4) and WAN connections get the external IP (1.2.3.4). I don't know if it's ideal, but it does work.

Edit: I was also able to get it working using a different port, as suggested. You may or may not wish to run ftp on a non-standard port so maybe this method is not for you. If you forward port 21 on the firewall to the ftp server using, say, 2121 and listen on port 2121 in one of your <virtualHost> blocks, you then know it's an external connection. Here is the block I used for that:

<VirtualHost 192.168.0.4>
  ServerName "External"
  Port 2121
  MasqueradeAddress 1.2.3.4
</VirtualHost>

Note: If you do it this way, the "server config" (anything not in a <virtualHost> or <Global> block) directives will not be applied. You may have to repeat some directives or use a <Global> block.

Lifz
  • 203
  • 1
  • 2
  • 8