Hello,
today I have installed Ubuntu 13.04 Server on a PC to act like NAT router for or local network at my work.
I am also running Apache and ProFTPd on this server but I came across one problem.
I have configured proFTPd to masquerade the public ip, and also set passive ports, the problem is when I am trying to connect with Filezilla or PSPad from inside of the LAN and I am connecting to to Public IP address of the router (not the local one) I connect but I get this error:
When using passive mode:
Code:
Error: Disconnected from server: ECONNABORTED - Connection aborted
Error: Failed to retrieve directory listing
When using active mode:
Code:
425 Unable to build data connection: Connection refused
Error: Failed to retrieve directory listing
When I try to connect to the Local IP of the server, it works with no problem.
Also I tried connecting from different network (my home network server) and I can connect either as active or passive also with no problems.
I am not sure if this is the problem of proftpd configuration or NAT configuration.
This is my proftpd.conf
Code:
# Includes DSO modules
Include /etc/proftpd/modules.conf
# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6 on
# If set on you can experience a longer connection delay in many cases.
IdentLookups off
ServerName "dt-router"
ServerType standalone
DeferWelcome off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir .message true
ListOptions "-l"
DenyFilter \*.*/
# Use this to jail all users in their homes
DefaultRoot ~
# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
# RequireValidShell off
# Port 21 is the standard FTP port.
Port 21
PassivePorts 60000 60100
MasqueradeAddress x.x.x.x # My Public IP
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>
MaxInstances 30
User proftpd
Group nogroup
Umask 022 022
AllowOverwrite on
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>
<IfModule mod_ratio.c>
Ratios off
</IfModule>
<IfModule mod_delay.c>
DelayEngine on
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine off
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>
# Include other custom configuration files
Include /etc/proftpd/conf.d/
My iptables
Code:
root@dt-router:/var/log/proftpd# iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -i eth0 -p tcp -m tcp --dport 3391 -j DNAT --to-destination 192.168.8.96:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.8.2:25
-A PREROUTING -i eth0 -p tcp -m tcp --dport 143 -j DNAT --to-destination 192.168.8.2:143
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.8.2:443
-A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.8.2:110
-A PREROUTING -i eth0 -p tcp -m tcp --dport 135 -j DNAT --to-destination 192.168.8.2:135
-A PREROUTING -i eth0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.8.2:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 3390 -j DNAT --to-destination 192.168.8.1:3389
-A POSTROUTING -o eth0 -j MASQUERADE
root@dt-router:/var/log/proftpd# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 67,68 -j DROP
-A INPUT -p udp -m udp -m multiport --dports 67,68 -j DROP
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 60000:60100 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 60000:60100 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
I know that in the iptables there are redundant entries with -j ACCEPT I was just helpless so I tried messing with the firewall.
If any of you have some ideas, I would really appreciate it.. Thanks