ProFTPd error fetching folder list using Public IP from LAN

InToSSH · 10-10-2013, 07:17 AM

Hello,
today I have installed Ubuntu 13.04 Server on a PC to act like NAT router for or local network at my work.
I am also running Apache and ProFTPd on this server but I came across one problem.
I have configured proFTPd to masquerade the public ip, and also set passive ports, the problem is when I am trying to connect with Filezilla or PSPad from inside of the LAN and I am connecting to to Public IP address of the router (not the local one) I connect but I get this error:
When using passive mode:

Code:

Error: Disconnected from server: ECONNABORTED - Connection aborted
Error: Failed to retrieve directory listing

When using active mode:

Code:

425 Unable to build data connection: Connection refused
Error: Failed to retrieve directory listing

When I try to connect to the Local IP of the server, it works with no problem.
Also I tried connecting from different network (my home network server) and I can connect either as active or passive also with no problems.
I am not sure if this is the problem of proftpd configuration or NAT configuration.

This is my proftpd.conf

Code:

# Includes DSO modules
Include /etc/proftpd/modules.conf

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6				on
# If set on you can experience a longer connection delay in many cases.
IdentLookups off

ServerName			"dt-router"
ServerType standalone
DeferWelcome off

MultilineRFC2228 on
DefaultServer on
ShowSymlinks			on

TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200

DisplayLogin                    welcome.msg
DisplayChdir               	.message true
ListOptions                	"-l"

DenyFilter			\*.*/

# Use this to jail all users in their homes 
DefaultRoot			~

# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
# RequireValidShell		off

# Port 21 is the standard FTP port.
Port 21

PassivePorts 60000 60100

MasqueradeAddress x.x.x.x    # My Public IP


<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>


MaxInstances 30

User				proftpd
Group				nogroup


Umask				022  022

AllowOverwrite			on

TransferLog /var/log/proftpd/xferlog
SystemLog   /var/log/proftpd/proftpd.log


<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>

<IfModule mod_ratio.c>
Ratios off
</IfModule>


<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine        off
ControlsMaxClients    2
ControlsLog           /var/log/proftpd/controls.log
ControlsInterval      5
ControlsSocket        /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>

# Include other custom configuration files
Include /etc/proftpd/conf.d/

My iptables

Code:

root@dt-router:/var/log/proftpd# iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -i eth0 -p tcp -m tcp --dport 3391 -j DNAT --to-destination 192.168.8.96:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.8.2:25
-A PREROUTING -i eth0 -p tcp -m tcp --dport 143 -j DNAT --to-destination 192.168.8.2:143
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.8.2:443
-A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.8.2:110
-A PREROUTING -i eth0 -p tcp -m tcp --dport 135 -j DNAT --to-destination 192.168.8.2:135
-A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.8.2:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 3390 -j DNAT --to-destination 192.168.8.1:3389
-A POSTROUTING -o eth0 -j MASQUERADE
root@dt-router:/var/log/proftpd# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 67,68 -j DROP
-A INPUT -p udp -m udp -m multiport --dports 67,68 -j DROP
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 60000:60100 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 60000:60100 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT

I know that in the iptables there are redundant entries with -j ACCEPT I was just helpless so I tried messing with the firewall.
If any of you have some ideas, I would really appreciate it.. Thanks

psycroptic · 10-10-2013, 11:10 AM

just noticed, your proftpd.conf has the "MasqueradeAddress" set. Per the docs:

MasqueradeAddress causes the server to display the network information for the specified IP address or DNS hostname to the client, on the assumption that that IP address or DNS host is acting as a NAT gateway or port forwarder for the server.

Have you tried using "DefaultAddress" instead?

InToSSH · 10-10-2013, 12:28 PM

Thank you for your reply. Yes I have tried it.. But its still the same, even when leaving them both.

The problem is that there are two routers.. Its like this:

Code:

Internet -- xDSL Linksys router (192.168.0.1) - (192.168.0.2) Linux Router (192.168.8.254) - Local Network

On the xDSL Linksys router the Linux router is set lime DMZ so it passes through the Public IP address to Linux router. I am not sure if this might be a problem..