FTP is always "special" ... :-)
For many years I have configured FTP like other protocols:
DNAT net dmz:192.168.109.71 tcp 20,21,25,80,443 - A.B.C.D
Where A.B.C.D is an alias public IP (eth0:N)
192.168.109.71 is the server internal IP
It has worked fine except for same clients that had some coonections
problems, but playing with attive/passive mode in the client usually they
can connect and work.
Now there are some clients that aren't able to use FTP with this servers.
I noticied this also from one on my boxes that is under a double or
triple NAT:
# ftp SERVER.com
Connected to SERVER.com.
220 FTP Server ready.
Name (SERVER.com:root): user-ftp
331 Password required for user-ftp
Password:
230 User user-ftp logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> debug
Debugging on (debug=1).
ftp> ls
---> PORT 192,168,111,107,196,255
200 PORT command successful
---> LIST
425 Unable to build data connection: Connection timed out
# ftp SERVER.com
Connected to SERVER.com.
220 FTP Server ready.
Name (SERVER.com:root): user-ftp
331 Password required for user-ftp
Password:
230 User user-ftp logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> dir
227 Entering Passive Mode (192,168,109,71,178,174).
ftp: connect: Connection timed out
ftp> bye
421 Idle timeout (600 seconds): closing control connection
# ftp metalluxlight.com
Connected to SERVER.com.
220 FTP Server ready.
Name (SERVER.com:root): user-ftp
331 Password required for user-ftp
Password:
230 User user-ftp logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> passive
Passive mode off.
ftp> dir
200 PORT command successful
425 Unable to build data connection: Connection timed out
If I try from another client box (very similar to the previous), I got:
# ftp SERVER.com
Connected to SERVER.com.
220 FTP Server ready.
Name (SERVER.com:root): user-ftp
331 Password required for user-ftp
Password:
230 User user-ftp logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 user-ftp user 5500719 Mar 14 2017 CompanyProfile.pdf
-rw-r--r-- 1 user-ftp user 390 Nov 9 2015 LEGGIMI.txt
drwxr-xr-x 3 root root 4096 Jul 4 13:51 cataloghi
-rw-r--r-- 1 user-ftp user 53 Dec 29 2015
google0f8da78f93df36d9.html
. . .
-rw-r--r-- 1 user-ftp user 3353 Oct 7 2016 wp-load.php
-rw-r--r-- 1 user-ftp user 34057 Oct 7 2016 wp-login.php
-rw-r--r-- 1 user-ftp user 7993 Jan 11 2017 wp-mail.php
-rw-r--r-- 1 user-ftp user 13920 Oct 7 2016 wp-settings.php
-rw-r--r-- 1 user-ftp user 29890 Oct 7 2016 wp-signup.php
-rw-r--r-- 1 user-ftp user 4035 Nov 9 2015 wp-trackback.php
-rw-r--r-- 1 user-ftp user 3064 Oct 7 2016 xmlrpc.php
226 Transfer complete
This works without problem and is under a double NAT (different
connection).
Also tried the syntax (in the firewall obviously):
FTP(DNAT) net dmz:192.168.109.71 tcp - - A.B.C.D
# uname -a
Linux srv-gw 4.4.49-1-pve #1 SMP PVE 4.4.49-86 (Thu, 30 Mar 2017 08:39:20
+0200) x86_64 GNU/Linux
# shorewall version
4.6.4.3
Debian 8.7
ip_set 45056 2 ip_set_hash_ip,xt_set
ip_set_hash_ip 32768 0
iptable_filter 16384 4
iptable_mangle 16384 1
iptable_nat 16384 1
iptable_raw 16384 0
ip_tables 28672 4
iptable_filter,iptable_mangle,iptable_nat,iptable_raw
ipt_ah 16384 0
ipt_CLUSTERIP 16384 0
ipt_ECN 16384 0
ipt_MASQUERADE 16384 0
ipt_REJECT 16384 8
ipt_rpfilter 16384 0
. . .
nf_conntrack 106496 34
nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,xt_CT,nf_nat_snmp_basic,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_helper,nf_conntrack_proto_udplite,nf_nat,xt_state,xt_connlimit,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_conntrack,nf_conntrack_amanda,nf_nat_masquerade_ipv4,ipt_CLUSTERIP,nf_conntrack_proto_sctp,nf_conntrack_netlink,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_sip,nf_conntrack_h323,nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_snmp,nf_conntrack_tftp
nf_conntrack_amanda 16384 1 nf_nat_amanda
nf_conntrack_broadcast 16384 2 nf_conntrack_netbios_ns,nf_conntrack_snmp
nf_conntrack_ftp 20480 1 nf_nat_ftp
nf_conntrack_h323 77824 1 nf_nat_h323
nf_conntrack_ipv4 16384 108
nf_conntrack_irc 16384 1 nf_nat_irc
nf_conntrack_netbios_ns 16384 0
nf_conntrack_netlink 36864 0
nf_conntrack_pptp 20480 1 nf_nat_pptp
nf_conntrack_proto_gre 16384 1 nf_conntrack_pptp
nf_conntrack_proto_sctp 20480 0
nf_conntrack_proto_udplite 16384 0
nf_conntrack_sane 16384 0
nf_conntrack_sip 28672 1 nf_nat_sip
nf_conntrack_snmp 16384 1 nf_nat_snmp_basic
nf_conntrack_tftp 16384 1 nf_nat_tftp
nf_defrag_ipv4 16384 2 xt_TPROXY,nf_conntrack_ipv4
nf_defrag_ipv6 36864 1 xt_TPROXY
nf_log_common 16384 1 nf_log_ipv4
nf_log_ipv4 16384 13
nf_nat 24576 11
nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,nf_nat_proto_gre,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_nat,nf_nat_masquerade_ipv4
nf_nat_amanda 16384 0
nf_nat_ftp 16384 0
nf_nat_h323 20480 0
nf_nat_ipv4 16384 1 iptable_nat
nf_nat_irc 16384 0
nf_nat_masquerade_ipv4 16384 1 ipt_MASQUERADE
nf_nat_pptp 16384 0
nf_nat_proto_gre 16384 1 nf_nat_pptp
nf_nat_sip 20480 0
nf_nat_snmp_basic 20480 0
nf_nat_tftp 16384 0
What am I missing?
I don't think it matters, but the natted FTP server is a CentOS 7.x with
ProFTPd.
--
Thanks,
Paolo
____________________________________________
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users