You should run tcpdump or wireshark on both interfaces of the Shorewall router
interfaces to see what's happening. Example:
dmz eth0 router eth1
FTP <--> Shorewall <--> client
tcpdump -n -i eth0 port 21 or portrange 60000-65530
AND
tcpdump -n -i eth1 port 21 or portrange 60000-65530
What ports are getting forwarded?
Note to all: The original post never mentioned SSL. Did
I miss something?
Bill
On 12/6/2017 2:34 PM, Paolo Andretta wrote:
On Wed, 6 Dec 2017, Thomas Deutschmann wrote:
FTP is always "special" ... :-)
[...]
What am I missing?
I don't think it matters, but the natted FTP server is a CentOS 7.x
with ProFTPd.
http://www.proftpd.org/docs/howto/NAT.html
You have to tell your ftp server which passive ports should be used.
You have to open (forward) all of these ports because you cannot know
which port will be selected for the specific connection. Helpers like
ip_conntrack_ftp don't support encryption.
Already tried before without result, but tried again:
In proftpd.conf:
MasqueradeAddress A.B.C.D
PassivePorts 60000 65530
I shorewall rules:
FTP(DNAT) net dmz:192.168.109.71 tcp - - A.B.C.D
DNAT net dmz:192.168.109.71 tcp 60000:65530 - A.B.C.D
No real difference:
# ftp SERVER.com
Connected to SERVER.com.
220 FTP Server ready.
Name (SERVER.com:root): USER-ftp
331 Password required for USER-ftp
Password:
230 User USER-ftp logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> dir
227 Entering Passive Mode (A,B,C,D,252,213).
ftp: connect: No route to host
ftp> passive
Passive mode off.
ftp> dir
200 PORT command successful
425 Unable to build data connection: Connection timed out
So:
- attive mode works from some connections and not from others (why?)
- passive mode never works
Thanks, Paolo
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users