LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 05-04-2008, 02:44 PM   #1
jordib
Member
 
Registered: Apr 2008
Distribution: Debian
Posts: 35

Rep: Reputation: 15
proFTPd: remote passive mode and problems


Hello. I'm experiencing problems when connecting from the internet to a FTP server running proFTPd which is behind a NAT.

This server is in a DMZ. The iptables firewall works properly. I have no problems using it from the local network with both modes passive and active when I don't specify the MasqueradeAddress directive.

If I specify the MasqueradeAddress directive, then I cannot use passive mode from inside the local network (due to the destination address used, which is private)

Code:
227 Entering Passive Mode (a,b,c,d,242,212)
wher a.b.c.d is my static public IP address, the MasqueradeAddress.

But, from outside it occurs the same! I do not underestand why. The passive ports range is covering all possibilities: 1024 to 65535.

I'd like to be able to use both modes from any location.

Is it possible with proFTPD? I found a pseudo-solution which used a virtual server with no MasqueradeAddress directive, but this doesn't work, gives login errors.

Other things I don't underestand are the fact that the command SITE_UTIME is not recognized even if is explicitly allowed in proftpd.conf and how can I get rid of the keepalives, I mean, control the disconnection timeout when there is no activity.

I use inetd, cause I cannot switch to standalone. When I switch to standalone and restart the server, it becomes unreachable.

Thanks.

Last edited by jordib; 05-09-2008 at 07:52 AM. Reason: title mistake
 
Old 05-09-2008, 04:44 PM   #2
jordib
Member
 
Registered: Apr 2008
Distribution: Debian
Posts: 35

Original Poster
Rep: Reputation: 15
Network topology

Three subnets, three firewall interfaces, one for the local network, the second for the DMZ network (one machine in which the FTP server listens) and the last (which does IP Masquerading) connected direcly to a DSL modem/router which throws all the incoming traffic to the firewall interface to which it is connected.

NET: Internet, router-firewall subnet
DMZ: DMZ subnet
LOC: LAN, local secure subnetwork

Iptables rules

Code:
#!/bin/sh

DMZ="192.168.2.2"

INET="eth0"
IDMZ="eth1"
ILOC="eth2"

# Rang ports efimers FTP
pti="1024"
ptf="65535"

echo Carregant moduls necessaris

modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

echo Esborrant normativa actual

iptables -F
iptables -X
iptables -Z
iptables -t nat -F

echo Establint politica de denegacio per defecte

iptables -P INPUT DROP	
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -P PREROUTING DROP
iptables -t nat -P POSTROUTING DROP

echo Establint les ordres de forwarding generals

# Activacio del bit de FORWARDING
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

# Prerouting

iptables -t nat -A PREROUTING -i $IDMZ -j ACCEPT
iptables -t nat -A PREROUTING -i $ILOC -j ACCEPT

# Postrouting

iptables -t nat -A POSTROUTING -o $INET -j MASQUERADE
iptables -t nat -A POSTROUTING -o $IDMZ -j ACCEPT
iptables -t nat -A POSTROUTING -o $ILOC -j ACCEPT

echo Habilitant connexions locals

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

echo Configurant NET-DMZ

# Permet servei remot FTP
iptables -t nat -A PREROUTING -i $INET -p tcp --dport 21 -j DNAT --to-destination $DMZ:21

# Control
iptables -A FORWARD -i $INET -o $IDMZ -m state --state NEW,ESTABLISHED -p tcp --sport $pti:$ptf --dport 21 -j ACCEPT
iptables -A FORWARD -i $IDMZ -o $INET -m state --state ESTABLISHED -p tcp --sport 21 --dport $pti:$ptf -j ACCEPT 

# Dades-actiu
iptables -A FORWARD -i $INET -o $IDMZ -m state --state ESTABLISHED -p tcp --sport $pti:$ptf --dport 20 -j ACCEPT
iptables -A FORWARD -i $IDMZ -o $INET -m state --state ESTABLISHED,RELATED -p tcp --sport 20 --dport $pti:$ptf -j ACCEPT  

# Dades-passiu
iptables -A FORWARD -i $INET -o $IDMZ -m state --state ESTABLISHED,RELATED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT
iptables -A FORWARD -i $IDMZ -o $INET -m state --state ESTABLISHED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT 

echo Configurant DMZ-LOC

# Permet FTP

# Control
iptables -A FORWARD -i $ILOC -o $IDMZ -m state --state NEW,ESTABLISHED -p tcp --sport $pti:$ptf --dport 21 -j ACCEPT
iptables -A FORWARD -i $IDMZ -o $ILOC -m state --state ESTABLISHED -p tcp --sport 21 --dport $pti:$ptf -j ACCEPT

# Dades-actiu
iptables -A FORWARD -i $ILOC -o $IDMZ -m state --state ESTABLISHED -p tcp --sport $pti:$ptf --dport 20 -j ACCEPT
iptables -A FORWARD -i $IDMZ -o $ILOC -m state --state ESTABLISHED,RELATED -p tcp --sport 20 --dport $pti:$ptf -j ACCEPT

# Dades-passiu
iptables -A FORWARD -i $ILOC -o $IDMZ -m state --state ESTABLISHED,RELATED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT
iptables -A FORWARD -i $IDMZ -o $ILOC -m state --state ESTABLISHED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT
Sorry for the comments language, catalan, it's easy to underestand within context, key

servei remot = remote service
permet = allow
dades = data
efimer = ephimeral
passiu, actiu = trivial, trivial...

the problem persists, ask for any data you may need
thanksss

Last edited by jordib; 05-09-2008 at 05:20 PM.
 
Old 05-28-2008, 05:26 PM   #3
jordib
Member
 
Registered: Apr 2008
Distribution: Debian
Posts: 35

Original Poster
Rep: Reputation: 15
Here I give the solution I found.

It must be allowed RELATED outbound connections for the passive data transfers:

Code:
# Dades-passiu
iptables -A FORWARD -i $INET -o $IDMZ -m state --state ESTABLISHED,RELATED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT
iptables -A FORWARD -i $IDMZ -o $INET -m state --state ESTABLISHED,RELATED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT
And specify no MasqueradeAddress.

I continue having problems with standalone proFTPD server mode. When I switch to it, the server seems to restart itself normally, but remotely is unreachable.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ProFTPd, Redhat 8.0 and passive mode Slasher Linux - Networking 10 05-09-2008 04:08 PM
Glftpd + Iptables + Passive Mode supreme2k Linux - Networking 10 01-27-2004 07:56 AM
ftp passive mode ? lenlutz Linux - Networking 1 11-05-2003 01:11 PM
kermit in passive mode? bbeers Linux - Software 1 08-23-2002 07:53 AM


All times are GMT -5. The time now is 01:20 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration