froFTPd: remote passive mode and problems

jordib · 05-04-2008, 02:44 PM

Hello. I'm experiencing problems when connecting from the internet to a FTP server running proFTPd which is behind a NAT.

This server is in a DMZ. The iptables firewall works properly. I have no problems using it from the local network with both modes passive and active when I don't specify the MasqueradeAddress directive.

If I specify the MasqueradeAddress directive, then I cannot use passive mode from inside the local network (due to the destination address used, which is private)

Code:

227 Entering Passive Mode (a,b,c,d,242,212)

wher a.b.c.d is my static public IP address, the MasqueradeAddress.

But, from outside it occurs the same! I do not underestand why. The passive ports range is covering all possibilities: 1024 to 65535.

I'd like to be able to use both modes from any location.

Is it possible with proFTPD? I found a pseudo-solution which used a virtual server with no MasqueradeAddress directive, but this doesn't work, gives login errors.

Other things I don't underestand are the fact that the command SITE_UTIME is not recognized even if is explicitly allowed in proftpd.conf and how can I get rid of the keepalives, I mean, control the disconnection timeout when there is no activity.

I use inetd, cause I cannot switch to standalone. When I switch to standalone and restart the server, it becomes unreachable.

Thanks.

jordib · 05-09-2008, 04:44 PM

Network topology

Three subnets, three firewall interfaces, one for the local network, the second for the DMZ network (one machine in which the FTP server listens) and the last (which does IP Masquerading) connected direcly to a DSL modem/router which throws all the incoming traffic to the firewall interface to which it is connected.

NET: Internet, router-firewall subnet
DMZ: DMZ subnet
LOC: LAN, local secure subnetwork

Iptables rules

Code:

#!/bin/sh

DMZ="192.168.2.2"

INET="eth0"
IDMZ="eth1"
ILOC="eth2"

# Rang ports efimers FTP
pti="1024"
ptf="65535"

echo Carregant moduls necessaris

modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

echo Esborrant normativa actual

iptables -F
iptables -X
iptables -Z
iptables -t nat -F

echo Establint politica de denegacio per defecte

iptables -P INPUT DROP	
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -P PREROUTING DROP
iptables -t nat -P POSTROUTING DROP

echo Establint les ordres de forwarding generals

# Activacio del bit de FORWARDING
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

# Prerouting

iptables -t nat -A PREROUTING -i $IDMZ -j ACCEPT
iptables -t nat -A PREROUTING -i $ILOC -j ACCEPT

# Postrouting

iptables -t nat -A POSTROUTING -o $INET -j MASQUERADE
iptables -t nat -A POSTROUTING -o $IDMZ -j ACCEPT
iptables -t nat -A POSTROUTING -o $ILOC -j ACCEPT

echo Habilitant connexions locals

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

echo Configurant NET-DMZ

# Permet servei remot FTP
iptables -t nat -A PREROUTING -i $INET -p tcp --dport 21 -j DNAT --to-destination $DMZ:21

# Control
iptables -A FORWARD -i $INET -o $IDMZ -m state --state NEW,ESTABLISHED -p tcp --sport $pti:$ptf --dport 21 -j ACCEPT
iptables -A FORWARD -i $IDMZ -o $INET -m state --state ESTABLISHED -p tcp --sport 21 --dport $pti:$ptf -j ACCEPT 

# Dades-actiu
iptables -A FORWARD -i $INET -o $IDMZ -m state --state ESTABLISHED -p tcp --sport $pti:$ptf --dport 20 -j ACCEPT
iptables -A FORWARD -i $IDMZ -o $INET -m state --state ESTABLISHED,RELATED -p tcp --sport 20 --dport $pti:$ptf -j ACCEPT  

# Dades-passiu
iptables -A FORWARD -i $INET -o $IDMZ -m state --state ESTABLISHED,RELATED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT
iptables -A FORWARD -i $IDMZ -o $INET -m state --state ESTABLISHED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT 

echo Configurant DMZ-LOC

# Permet FTP

# Control
iptables -A FORWARD -i $ILOC -o $IDMZ -m state --state NEW,ESTABLISHED -p tcp --sport $pti:$ptf --dport 21 -j ACCEPT
iptables -A FORWARD -i $IDMZ -o $ILOC -m state --state ESTABLISHED -p tcp --sport 21 --dport $pti:$ptf -j ACCEPT

# Dades-actiu
iptables -A FORWARD -i $ILOC -o $IDMZ -m state --state ESTABLISHED -p tcp --sport $pti:$ptf --dport 20 -j ACCEPT
iptables -A FORWARD -i $IDMZ -o $ILOC -m state --state ESTABLISHED,RELATED -p tcp --sport 20 --dport $pti:$ptf -j ACCEPT

# Dades-passiu
iptables -A FORWARD -i $ILOC -o $IDMZ -m state --state ESTABLISHED,RELATED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT
iptables -A FORWARD -i $IDMZ -o $ILOC -m state --state ESTABLISHED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT

Sorry for the comments language, catalan, it's easy to underestand within context, key

servei remot = remote service
permet = allow
dades = data
efimer = ephimeral
passiu, actiu = trivial, trivial...

the problem persists, ask for any data you may need
thanksss

jordib · 05-28-2008, 05:26 PM

Here I give the solution I found.

It must be allowed RELATED outbound connections for the passive data transfers:

Code:

# Dades-passiu
iptables -A FORWARD -i $INET -o $IDMZ -m state --state ESTABLISHED,RELATED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT
iptables -A FORWARD -i $IDMZ -o $INET -m state --state ESTABLISHED,RELATED -p tcp --sport $pti:$ptf --dport $pti:$ptf -j ACCEPT

And specify no MasqueradeAddress.

I continue having problems with standalone proFTPD server mode. When I switch to it, the server seems to restart itself normally, but remotely is unreachable.