LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   FTP Active mode and NAT with private addressing (AWS) (https://www.linuxquestions.org/questions/linux-networking-3/ftp-active-mode-and-nat-with-private-addressing-aws-4175620398/)

DavideDG 12-27-2017 02:31 PM
FTP Active mode and NAT with private addressing (AWS)
 
Hello,

I have an FTP client trying to connect in ftp active mode to some ftp servers located on the Internet.
The FTP client has private address, and is behind a NAT server.

This NAT server has private address too, and is itself behind a "global" NAT/routing service.


FTP client (10.60.0.0/24) --> 1st NAT server (10.254.254.0/24) --> Global NAT (Public IP) --> Internet --> Firewall/NAT --> FTP Server(s)


I can control the 1st NAT server and currently it's a Linux server with masquerading.
I have no access to the "global" NAT/routing service.
I do know the public static IP that it's eventually assigned to my first NAT server.


With Active-FTP (port mode), this is not working.
I already activated CT FTP helper (nf_nat_ftp) with its enabling iptables rule:
iptables -A PREROUTING -t raw -p tcp --sport 1024: --dport 21 -j CT --helper ftp
and I can see that the "PORT" command is being correctly translated from the private IP address of FTP client to the private IP Address of the 1st NAT server.

Unfortunately, of course, this cannot work end to end, because the FTP Server receives the PORT command still with a private address
and it's not smart enough to recognize this and connect back to the public IP of the FTP control flow (like filezilla server instead does, for example).
So the ftp data connection, initiated from the ftp server, of course never reaches my public ip (let alone the ftp client).


Now to the question.
Is there any way to let the NF_NAT_FTP module translate the PORT command with the PUBLIC IP, instead of the private one ?
Maybe assigning a "fake" interface with the public IP and forcing route back to private and toggling the module on/off in-between?
Or maybe there's some option of the kernel module I'm not aware of ? (I know only the "ports" option).


BTW: I am on Amazon AWS:
- the ftp client is a windows server
- the 1st nat server is a Amazon Linux NAT instance (kernel 4.9.x)
- the "global" nat/router is the VPC Internet GW


Before you suggest it: no, unfortunately I cannot change the FTP client, it's a custom application I cannot change.


Thank you.
Bye!

--
DavideDG

DavideDG 12-29-2017 08:01 AM
I found a partially working solution, and posted it here:

https://serverfault.com/questions/88...addressing-aws


All times are GMT -5. The time now is 05:08 AM.