[Firehol-support] FTP NAT ?

Tsaousis, Costa costa at tsaousis.gr
Tue Jun 27 23:17:57 BST 2017 

Hi,

When you NAT ftp you have to use cthelper (
https://firehol.org/firehol-manual/firehol-cthelper/).
These are kernel helpers that parse the application protocols (ftp in this
case) and properly setup connection tracking for them.

FireHOL enables these be default for the standard application ports (21 in
this case).
If you change the ftp port, you have to add a cthelper command at the top
of firehol.conf to match the traffic of your ftp server (port 2121 in this
case).

For the original problem you face (ftp on standard port not working),
please check you iptables logs.
FireHOL logs all traffic not matched by any of your rules. You can also use
tcpdump to trace the packets exchanged and find the offending party.

Costa


On Mon, Jun 26, 2017 at 11:43 PM, Whit Blauvelt <whit at transpect.com> wrote:

> Hi,
>
> FTP always uses two ports. If you look it up you'll find plenty of
> discussion. It's either ports 21 and 20, or 21 and an arbitrary high port,
> depending on the passive or active mode.
>
> Here's instructions for entirely iptables code:
> http://www.devops-blog.net/iptables/iptables-rules-for-
> nat-with-ftp-active-passive
>
> Those are opening more high ports than you need. Rules can be tighter than
> that. And you might want another firewall on the FTP server itself to make
> sure that traffic other than on port 21 is RELATED.
>
> I'm sure there's a simpler FireHOL way to handle this, but my habit is to
> keep FTP servers directly on public IPs rather than DNAT to them, partly
> because of these complications.
>
> Whit
>
> On Mon, Jun 26, 2017 at 10:24:06PM +0200, Nicolas Repentin wrote:
> > Hi all,
> >
> > I'm trying to create a simple NAT rule for FTP. I don't understand why,
> > but when I use ftp port, it doesn't work :
> >
> > my firehol server is 10.9.1.1. My ftp is 192.168.1.200 (reachable from
> > firehol server). My client is 10.9.1.14.
> >
> > If I do this :
> >
> > dnat4 192.168.1.200:21 proto tcp dport 21 inface vpnhome src 10.9.1.14
> >
> > router4 vpnhome2lan inface vpnhome outface eth0
> >     route "ftp" accept src 10.9.1.14
> >
> >
> > It doesn't work.
> >
> > If I replace 21 or ftp by 2121, and change the FTP server port to 2121
> > it works.
> >
> > I don't have firewall on FTP server, and the 21 port is not used on
> > firehol server.
> >
> > Any idea?
> >
> > Second problem, when using 2121, I can connect ftp server. But, fail
> > when trying to list folders.I got an error because 192.168.1.200 is not
> > reachable... Any idea?
> >
> > Is it a "best way" to create dnat for ftp ?
> >
> >
> > Thanks
> >
> > _______________________________________________
> > Firehol-support mailing list
> > Firehol-support at lists.firehol.org
> > http://lists.firehol.org/mailman/listinfo/firehol-support
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support
>

More information about the Firehol-support mailing list