On Wed, 6 Dec 2017, Thomas Deutschmann wrote:
FTP is always "special" ... :-)
[...]
What am I missing?
I don't think it matters, but the natted FTP server is a CentOS 7.x
with ProFTPd.
http://www.proftpd.org/docs/howto/NAT.html
You have to tell your ftp server which passive ports should be used.
You have to open (forward) all of these ports because you cannot know
which port will be selected for the specific connection. Helpers like
ip_conntrack_ftp don't support encryption.
Already tried before without result, but tried again:
In proftpd.conf:
MasqueradeAddress A.B.C.D
PassivePorts 60000 65530
I shorewall rules:
FTP(DNAT) net dmz:192.168.109.71 tcp - - A.B.C.D
DNAT net dmz:192.168.109.71 tcp 60000:65530 - A.B.C.D
No real difference:
# ftp SERVER.com
Connected to SERVER.com.
220 FTP Server ready.
Name (SERVER.com:root): USER-ftp
331 Password required for USER-ftp
Password:
230 User USER-ftp logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> dir
227 Entering Passive Mode (A,B,C,D,252,213).
ftp: connect: No route to host
ftp> passive
Passive mode off.
ftp> dir
200 PORT command successful
425 Unable to build data connection: Connection timed out
So:
- attive mode works from some connections and not from others (why?)
- passive mode never works
Thanks, Paolo
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
