Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Gentoo server with proftpd installed.NAT blocking FTP <- WAN
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
xhakerek
n00b
n00b


Joined: 27 Oct 2008
Posts: 32
Location: Korolówka

PostPosted: Sun Jun 29, 2014 6:36 pm    Post subject: Gentoo server with proftpd installed.NAT blocking FTP <- Reply with quote

Hi!
I can't make it work. I can connect FTP server only from computers connected to my home network. SSH and WWW works fine. I added a rule the same way and it doesn't work. Neither in ACTIVE nor PASSIVE mode.
nf_conntrack_ftp built into the kernel
When i start proftpd with -nd5 option I don't see anything when trying to connect to it from WAN.
Soon I'll start to pull my hair out lol. Please help me. I'll paste whatever you need.
For active I've tried openning ports 20 and 21
for passive the same thing plus passive ports declaration in proftpd.conf and opening them.
iptables rules pasted from gentoo home router howto.
When I stop iptables service the server works fine in both modes. It must be something wrong with NAT or nf_conntrack_ftp, right? I remember just forwarding ports worked when I did it last time. It's an ARM NAS box if it matters.
Thanks in advance!
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Sun Jun 29, 2014 7:25 pm    Post subject: Reply with quote

xhakerek ... wild guess ... you have both NF_CONNTRACK_FTP and NF_NAT_FTP enabled?

Also, have you defined the ports for the modules?

/etc/modprobe.d/nf_conntrack.conf
Code:
options ip_conntrack_ftp ports=20,21
options ip_nat_ftp ports=20,21

Also, you will need to define PassivePorts in proftpd.conf (at least you did when last I used proftpd).

Otherwise, you should post the iptables ruleset in use ...

best ... khay
Back to top
View user's profile Send private message
xhakerek
n00b
n00b


Joined: 27 Oct 2008
Posts: 32
Location: Korolówka

PostPosted: Sun Jun 29, 2014 7:38 pm    Post subject: Reply with quote

My iptables -L
Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
REJECT     udp  --  anywhere             anywhere             udp dpt:bootps reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere             udp dpt:domain reject-with icmp-port-unreachable
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere             tcp dpts:0:1023
DROP       udp  --  anywhere             anywhere             udp dpts:0:1023
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp-data
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:60000:65535

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             192.168.0.0/16     
ACCEPT     all  --  192.168.0.0/16       anywhere           
ACCEPT     all  --  anywhere             192.168.0.0/16     

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Problem solved. I typed in the rules for FTP AFTER setting everything up. It seems that it matters and rules for FTP only work when they are BEFORE DROP rules for ports 0:1023. I'm a dumb a**.
I had no idea. Realized that by putting all the rules in the script(one file and ftp rule just after the rule for ssh)
I'm not worthy;) Thank you!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum