www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

How to configure FTP through Firewall/NAT?

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> Networking
View previous topic :: View next topic  
Author Message
Aileron



Joined: 16 Jul 2008
Posts: 13

PostPosted: Thu Aug 05, 2010 7:25 am    Post subject: How to configure FTP through Firewall/NAT? Reply with quote

Hi everybody,

I wonder how I should configure my Zeroshell firewall so that my clients can connect to foreign FTP servers (in PASV mode).

I have a single IP address, all clients are NATed and firewalled through a Zeroshell box.

The firewall is configured as a white list which means that outgoing connections to all ports are being dropped except those which are allowed (HTTP, POP3, SMTP, ...).

Active FTP connections obviously won't work as the server is unable to directly connect to a port opened by a NATed client. An option would be to assign a small port range to be forwarded directly to one client. The FTP client then can only use those ports for FTP data transfer which would be fine - but so far I haven't found a Windows FTP client that allows its active ports to be chosen.

Passive FTP connection do not work either - as I understand it, the server opens an arbitrary port to which the client is allowed to connect. As my firewall allows only a very limited number of selected ports to connect, the FTP client will fail to connect to the server's data port.

Is there any chance of configuring my firewall/NAT/port forwarding/(ftp client?) in a way that FTP connections are possible through ZeroShell?

Thanks in advance!
Back to top
View user's profile Send private message
ppalias



Joined: 17 Dec 2008
Posts: 1151
Location: Athens, Greece

PostPosted: Thu Aug 05, 2010 10:05 am    Post subject: Reply with quote

I suppose you have enabled nf_conntrack and nf_nat_ftp as a module. It is supposed to keep tracking of connections so when you open an outgoing connection the reply is accepted. Check that packets are not dropped on the firewall by enabling logging. Try to use L7 protocol matching instead of plain ports. Use both ports 20 and 21 for ftp.
Back to top
View user's profile Send private message Yahoo Messenger MSN Messenger
Aileron



Joined: 16 Jul 2008
Posts: 13

PostPosted: Fri Aug 06, 2010 6:34 am    Post subject: Reply with quote

Thanks for replying, I am using zeroshell 1.0.beta10 (which is quite old, I know - but updates for some reasons failed) Connection tracking is active, I do not know anything about modules... even though the latter one you mentioned sounds interesting.

This is my current configuration for FTP:

BRIDGE00 * ACCEPT tcp opt -- in BRIDGE00 out * 192.168.10.0/24 -> 0.0.0.0/0 tcp dpt:21 no
BRIDGE00 * ACCEPT tcp opt -- in BRIDGE00 out * 192.168.10.0/24 -> 0.0.0.0/0 state RELATED no
BRIDGE00 * ACCEPT tcp opt -- in BRIDGE00 out * 192.168.10.0/24 -> 0.0.0.0/0 tcp dpt:20 no
BRIDGE00 * ACCEPT tcp opt -- in BRIDGE00 out * 192.168.10.0/24 -> 0.0.0.0/0 LAYER7 l7proto ftp no

Active FTP works just fine - but passive FTP does not for some reason. Some servers my clients would like to connect to only allow PASV connections so I wonder what I am doing wrong... Any more hints?
Thanks in advance!
Back to top
View user's profile Send private message
ppalias



Joined: 17 Dec 2008
Posts: 1151
Location: Athens, Greece

PostPosted: Fri Aug 06, 2010 1:57 pm    Post subject: Reply with quote

In the line 2 you have to also add
Code:
ESTABLISHED

Apart from that you don't mention which is the wan interface, which is source IP and which is the destination IP of the ftp server.
Back to top
View user's profile Send private message Yahoo Messenger MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> Networking All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group