vsftp behind iptables NAT
Hi folks,
I'm trying get an vsftp working behind NAT... I have a machine, say GW, that is the router behind my vsftp server and internet, and I want to export this vsftp to internet. Topology is like this vsftp host --- GW --- Internet About FTP stuff, I have read that passive mode is a better approch, so I want to keep with this, in others words, I want to be accessible to any client on internet. I also read that I have to export ports 21, and pasv_min_port -- which is 3500 -- and pasv_max_port -- which is 4000 -- on my firewall, So here is my firewall configuration.. note: I have all polices to ACCEPT, isn't a real real real firewal hehe.. Code:
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.5.37 192.168.5.37 is the vsftp machine X.X.X.X is the ip of the internet interface And here is my vsftpd.conf Code:
local_enable=YES Well I can log in on ftp from internet, but I can't list directiories. On local LAN everything works fine... Any idea? Cheers, |
During ftp directory listing check which packets goes through router
Code:
iptables -I FORWARD -d 192.168.5.37 -p tcp -m tcp --dport 3500:4000 -j LOG |
Hi
I have a client with passive support..and also had restart the service after change its configuration.. To be honest active mode works if client isnt behind a nat Ill try the track thing as I get home Thanks |
So.. here I am again
To simplify things I've changed pasv_max_port and pasv_min_port to 3500, so I have to track only port 3500. For some reason this port is never used.. I've also had set connect_from_port_20=NO and port_enable=NO, so I got firefox using PASV mode, I can prove that on logs, soon So I will introduce the procedure I'm using to test, and what is happening on each stage, the current config file can be see at end of post... First I put this on firefox url bar Code:
ftp://Y.Y.Y.Y Code:
Thu Jun 7 04:02:14 2012 [pid 3554] CONNECT: Client "188.100.183.118" I put my user -- tux -- and password on popup box and press enter.. At this time this appears on vsftpd.log Code:
Thu Jun 7 04:02:33 2012 [pid 3556] FTP command: Client "188.100.183.118", "USER tux" I set the iptabes log rules as you said, and, for my surprise, there is nothing traveling on 3500 port, nothing.. So I chose then test if my iptables rules are right.. Well, yes they are, because I start a netcat, on ftp server, listening on 3500, and can get connect from my client box, and can send data on both directions.. I can't figure out why my client isn't shooting packages against 3500 port.. As I've said, here is my current config file.. Code:
anonymous_enable=NO |
Configuration should be ok, as server send correct port number to client, Y.Y.Y.Y in this "227 Entering Passive Mode (Y,Y,Y,Y,13,172)" is your public, external IP on which you connected with netcat? Check this log, to be sure that client is trying to connect correctly at all:
Code:
iptables -t nat -I PREROUTING -s <CLIENT_IP_HERE> -j LOG |
That's it, for some reason my client isn't sending requests to port 3500..
I have no idea why is this happen.. I tried iptables loging, and tcpdump.. there is no output for port 3500 at all.. I got an "Connection reset by peer" on firefox My guess is that something is going wrong while trying to alert client about pasv mode I'll try more tcpdump's and come back here with results... Editing.. I've tried a lot of tcpdumps and iptables -j LOG.. the communication seems OK, my guess is that vsftpd is doing some security check that is ruining things Here is the current config Code:
anonymous_enable=NO resolve some name -- I mean, a lot of packets going to (dst host) 8.8.8.8, after change the configuration this stops, but still, I got the same error. :confused: Cheers |
All times are GMT -5. The time now is 08:04 AM. |