LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-06-2012, 02:59 PM   #1
danielhilst
LQ Newbie
 
Registered: Apr 2010
Location: Brazil
Distribution: Gentoo,Archlinux
Posts: 24

Rep: Reputation: 1
vsftp behind iptables NAT


Hi folks,


I'm trying get an vsftp working behind NAT...
I have a machine, say GW, that is the router behind my vsftp server and internet, and I want to export this vsftp to internet.

Topology is like this

vsftp host --- GW --- Internet

About FTP stuff, I have read that passive mode is a better approch, so I want to keep with this, in others words, I want to be accessible to any client on internet.

I also read that I have to export ports 21, and pasv_min_port -- which is 3500 -- and pasv_max_port -- which is 4000 -- on my firewall, So here is my firewall configuration..

note: I have all polices to ACCEPT, isn't a real real real firewal hehe..

Code:
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.5.37 
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 3500:4000 -j DNAT --to-destination 192.168.5.37 
iptables -t nat -A POSTROUTING -s 192.168.5.37 -p tcp -m tcp --sport 21 -j SNAT --to-source X.X.X.X
iptables -t nat -A POSTROUTING -s 192.168.5.37 -p tcp -m tcp --sport 3500:4000 -j SNAT --to-source X.X.X.X
Where:
192.168.5.37 is the vsftp machine
X.X.X.X is the ip of the internet interface

And here is my vsftpd.conf
Code:
local_enable=YES
write_enable=NO
pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES
pasv_address=Y.Y.Y.Y
pasv_promiscuous=YES
pasv_enable=YES
hide_ids=YES
pasv_min_port=3500
pasv_max_port=4000
chroot_local_user=YES
max_clients=10
no_anon_password=YES
syslog_enable=YES
log_ftp_protocol=YES
Where Y.Y.Y.Y is my public internet IP

Well I can log in on ftp from internet, but I can't list directiories.

On local LAN everything works fine...
Any idea?

Cheers,
 
Old 06-06-2012, 03:23 PM   #2
eSelix
Senior Member
 
Registered: Oct 2009
Location: Wroclaw, Poland
Distribution: Arch, Kubuntu
Posts: 1,281

Rep: Reputation: 320Reputation: 320Reputation: 320Reputation: 320
During ftp directory listing check which packets goes through router
Code:
iptables -I FORWARD -d 192.168.5.37 -p tcp -m tcp --dport 3500:4000 -j LOG
iptables -I FORWARD -s 192.168.5.37 -p tcp -m tcp --sport 3500:4000 -j LOG
tail -f /var/log/syslog
Did you restarted vsftpd after changing configuration? Does your ftp client support PASV mode? And can you post ftp log from connection?

Last edited by eSelix; 06-06-2012 at 03:26 PM.
 
Old 06-06-2012, 06:43 PM   #3
danielhilst
LQ Newbie
 
Registered: Apr 2010
Location: Brazil
Distribution: Gentoo,Archlinux
Posts: 24

Original Poster
Rep: Reputation: 1
Hi

I have a client with passive support..and also had restart the service after change its configuration..

To be honest active mode works if client isnt behind a nat
Ill try the track thing as I get home

Thanks
 
Old 06-06-2012, 11:24 PM   #4
danielhilst
LQ Newbie
 
Registered: Apr 2010
Location: Brazil
Distribution: Gentoo,Archlinux
Posts: 24

Original Poster
Rep: Reputation: 1
So.. here I am again

To simplify things I've changed pasv_max_port and pasv_min_port to 3500, so I have to track only port 3500.

For some reason this port is never used..

I've also had set connect_from_port_20=NO and port_enable=NO, so I got firefox using PASV mode,
I can prove that on logs, soon

So I will introduce the procedure I'm using to test, and what is happening on each stage, the current config
file can be see at end of post...

First I put this on firefox url bar
Code:
ftp://Y.Y.Y.Y
This is shown on vsftpd.log
Code:
Thu Jun  7 04:02:14 2012 [pid 3554] CONNECT: Client "188.100.183.118"
Thu Jun  7 04:02:14 2012 [pid 3554] FTP response: Client "188.100.183.118", "220 (vsFTPd 2.0.5)"
Thu Jun  7 04:02:14 2012 [pid 3554] FTP command: Client "188.100.183.118", "USER anonymous"
Thu Jun  7 04:02:14 2012 [pid 3554] [anonymous] FTP response: Client "188.100.183.118", "331 Please specify the password."
Thu Jun  7 04:02:14 2012 [pid 3554] [anonymous] FTP command: Client "188.100.183.118", "PASS <password>"
Thu Jun  7 04:02:18 2012 [pid 3553] [anonymous] FAIL LOGIN: Client "188.100.183.118"
Thu Jun  7 04:02:20 2012 [pid 3554] [anonymous] FTP response: Client "188.100.183.118", "530 Login incorrect."
Thu Jun  7 04:02:20 2012 [pid 3556] CONNECT: Client "188.100.183.118"
Thu Jun  7 04:02:20 2012 [pid 3556] FTP response: Client "188.100.183.118", "220 (vsFTPd 2.0.5)"
And on firefox a login/password popup appears
I put my user -- tux -- and password on popup box and press enter.. At this time this appears on vsftpd.log
Code:
Thu Jun  7 04:02:33 2012 [pid 3556] FTP command: Client "188.100.183.118", "USER tux"
Thu Jun  7 04:02:33 2012 [pid 3556] [tux] FTP response: Client "188.100.183.118", "331 Please specify the password."
Thu Jun  7 04:02:33 2012 [pid 3556] [tux] FTP command: Client "188.100.183.118", "PASS <password>"
Thu Jun  7 04:02:35 2012 [pid 3555] [tux] OK LOGIN: Client "188.100.183.118"
Thu Jun  7 04:02:35 2012 [pid 3557] [tux] FTP response: Client "188.100.183.118", "230 Login successful."
Thu Jun  7 04:02:35 2012 [pid 3557] [tux] FTP command: Client "188.100.183.118", "SYST"
Thu Jun  7 04:02:35 2012 [pid 3557] [tux] FTP response: Client "188.100.183.118", "215 UNIX Type: L8"
Thu Jun  7 04:02:35 2012 [pid 3557] [tux] FTP command: Client "188.100.183.118", "PWD"
Thu Jun  7 04:02:35 2012 [pid 3557] [tux] FTP response: Client "188.100.183.118", "257 "/""
Thu Jun  7 04:02:35 2012 [pid 3557] [tux] FTP command: Client "188.100.183.118", "TYPE I"
Thu Jun  7 04:02:35 2012 [pid 3557] [tux] FTP response: Client "188.100.183.118", "200 Switching to Binary mode."
Thu Jun  7 04:02:35 2012 [pid 3557] [tux] FTP command: Client "188.100.183.118", "PASV"
Thu Jun  7 04:02:35 2012 [pid 3557] [tux] FTP response: Client "188.100.183.118", "227 Entering Passive Mode (Y,Y,Y,Y,13,172)"

I set the iptabes log rules as you said, and, for my surprise, there is nothing traveling on 3500 port, nothing..


So I chose then test if my iptables rules are right.. Well, yes they are, because I start a netcat, on ftp server, listening on 3500, and can get connect from my client box, and can send data on both directions..


I can't figure out why my client isn't shooting packages against 3500 port..

As I've said, here is my current config file..
Code:
anonymous_enable=NO
local_enable=YES
write_enable=NO
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=NO
xferlog_file=/var/log/vsftpd.log
chroot_local_user=YES
listen=YES
port_enable=NO
pasv_enable=YES
pasv_promiscuous=YES
pasv_max_port=3500
pasv_min_port=3500
pasv_addr_resolve=NO
pasv_address=Y.Y.Y.Y
pam_service_name=vsftpd
log_ftp_protocol=YES
 
Old 06-07-2012, 07:50 AM   #5
eSelix
Senior Member
 
Registered: Oct 2009
Location: Wroclaw, Poland
Distribution: Arch, Kubuntu
Posts: 1,281

Rep: Reputation: 320Reputation: 320Reputation: 320Reputation: 320
Configuration should be ok, as server send correct port number to client, Y.Y.Y.Y in this "227 Entering Passive Mode (Y,Y,Y,Y,13,172)" is your public, external IP on which you connected with netcat? Check this log, to be sure that client is trying to connect correctly at all:
Code:
iptables -t nat -I PREROUTING -s <CLIENT_IP_HERE> -j LOG
iptables -t nat -I PREROUTING -p tcp -m tcp --dport 3500 -j LOG

Last edited by eSelix; 06-07-2012 at 07:55 AM.
 
Old 06-07-2012, 11:23 AM   #6
danielhilst
LQ Newbie
 
Registered: Apr 2010
Location: Brazil
Distribution: Gentoo,Archlinux
Posts: 24

Original Poster
Rep: Reputation: 1
Unhappy

That's it, for some reason my client isn't sending requests to port 3500..
I have no idea why is this happen..
I tried iptables loging, and tcpdump.. there is no output for port 3500 at all..

I got an "Connection reset by peer" on firefox


My guess is that something is going wrong while trying to alert client about pasv mode

I'll try more tcpdump's and come back here with results...


Editing..

I've tried a lot of tcpdumps and iptables -j LOG.. the communication seems OK, my
guess is that vsftpd is doing some security check that is ruining things

Here is the current config
Code:
anonymous_enable=NO
local_enable=YES
write_enable=NO
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=NO
xferlog_file=/var/log/vsftpd.log
chroot_local_user=YES
listen=YES
port_enable=NO
pasv_addr_resolve=NO
pasv_enable=YES
pasv_promiscuous=YES
pasv_max_port=3500
pasv_min_port=3500
pasv_addr_resolve=NO
pasv_address=Y.Y.Y.Y
pam_service_name=vsftpd
log_ftp_protocol=YES
port_promiscuous=YES
reverse_lookup_enable=NO
After tcpdumping packets coming from 192.168.5.37 (src host) I see that is trying to
resolve some name -- I mean, a lot of packets going to (dst host) 8.8.8.8, after change the
configuration this stops, but still, I got the same error.


Cheers

Last edited by danielhilst; 06-07-2012 at 01:38 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTables 1:1 NAT Garak Linux - Security 13 12-19-2011 05:03 PM
iptables: can't initialize iptables table `NAT' linuxgentoo Linux - Kernel 3 01-17-2010 10:15 AM
iptables and vsftp yenonn Linux - Networking 4 07-12-2004 04:19 AM
IPTABLES : build NAT using IPTABLES joseph Linux - Networking 4 04-23-2004 05:08 AM
Cron? vsftp? iptables? dgnr8 Linux - Newbie 3 03-02-2004 08:00 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:10 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration