Multiple FTP server on Green

General questions.
Post Reply
hardwareRVR
Posts: 11
Joined: September 26th, 2017, 7:56 am

Multiple FTP server on Green

Post by hardwareRVR » May 30th, 2019, 7:19 am

Hello,
I'm trying to forward FTP service from RED to multiple server on GREEN.
I tryed to forward various port number to port 21 of the servers like 2121 to 21 server1, 2221 to 21 server2, the login is OK but after LIST command lock until timeout.
If I forward port 21 all OK.
Why ?
What I need to add to enable these FTP servers with different port from WAN ?
I can't change port on servers.

Regards
Andrea T.

User avatar
ruhrik
Posts: 40
Joined: December 31st, 2014, 7:54 am

Re: Multiple FTP server on Green

Post by ruhrik » May 30th, 2019, 7:32 am

this is for one server - Filezilla
Image

but how You can see - there is also DATA rule created - perhaps this is the point of stuck ?
Image

also You need also second rule for DATA ? let Me know. I don't have time to create second FZ server... :)

hardwareRVR
Posts: 11
Joined: September 26th, 2017, 7:56 am

Re: Multiple FTP server on Green

Post by hardwareRVR » May 30th, 2019, 8:06 am

Hello,
unfortunately I can't set also any PASV port limit and other data on server, I havent "real servers" they are on Xport by Lantronix.
May be IpFire not able to made these services ?
Why if I use port 21 to port 21 it run without problems ?
Our client made this service to 2 server from single public IP, these 2 servers are also in 2 different little LAN segments in private 10.43.3.x/28 so I think also in VPN to the unique public IP used.
I don't know the client network system.

Thanks
Andrea T.

User avatar
ruhrik
Posts: 40
Joined: December 31st, 2014, 7:54 am

Re: Multiple FTP server on Green

Post by ruhrik » May 30th, 2019, 8:36 am

post the printscreen of the rule here pls.

and what about this ?

Image

hardwareRVR
Posts: 11
Joined: September 26th, 2017, 7:56 am

Re: Multiple FTP server on Green

Post by hardwareRVR » May 30th, 2019, 8:56 am

Hello,
fwrules
fwrules.jpg
FTP Layer is ON

Andreas T.

User avatar
ruhrik
Posts: 40
Joined: December 31st, 2014, 7:54 am

Re: Multiple FTP server on Green

Post by ruhrik » May 30th, 2019, 10:14 am

try to send this version:

Image

hardwareRVR
Posts: 11
Joined: September 26th, 2017, 7:56 am

Re: Multiple FTP server on Green

Post by hardwareRVR » May 30th, 2019, 10:59 am

Tried with source RED instead of source ANY but the same result.
Connection ok, PASV ok, LIST no more communication.
With port 21 to 21 ok as before.

Andrea T.

User avatar
ruhrik
Posts: 40
Joined: December 31st, 2014, 7:54 am

Re: Multiple FTP server on Green

Post by ruhrik » May 30th, 2019, 12:07 pm

Andrea, I have created second FTP server - FileZilla again because of speed and versatility...

Like I wroted at beginning - YOU MUST CREATE DATA PORTS RANGE !!!

I remember I have wondered also at first time why only login is possible on custom port - and all works when it runs on port 21.

Look detailed at the FTP definition later somewhere on WIKI , but the solution is clear.

For any FTP server (except running on port 21) You should create TWO rules:
1./ custom port for FTP "handshake"
2./ port range for FTP data

also for example - for TWO servers:
- tested also without DATA port range - NO LUCK - NO DIR LISTING !
- this is working config at My site:

Image

Like You can see, server one is called at ftp://RED_IP:11119
and server two is called at ftp://RED_IP:11115

If You don't want to use default port 21 You MUST define DATA RANGE PORTS :) ;)

Here the second server without DATA RANGE PORTS:
Image

And WITH DATA RANGE PORTS:
Image

All clear now ? :)

User avatar
ruhrik
Posts: 40
Joined: December 31st, 2014, 7:54 am

Re: Multiple FTP server on Green

Post by ruhrik » May 30th, 2019, 12:37 pm

lets post what for a device is that "Xport by Lantronix" or describe more by some schematics like (in my example):

INET <-> [RED:11115 <IPFIRE> GREEN:FTP-IP:21] <-> FTP-IP:21

If You don't know anything about that, You can use plugin: iptraf-ng - try to setup the port 21 version working so it connects and can transfer data
- install iptraf-ng and run it
- create filter for traffic monitoring from known IP where FTP client connects to RED
- play with it and add more filter rules to filter out unwanted traffic

at the end by some FTP file transfer You see data counters growing UP on some ports - these ports should be near-by self and You can try to create DATA RULE that covers for example 500 ports lower and upper from the most monitored port number...

it is only idea I really don't know if it works... it is possible that not, because of unroutable FTP server address...

or use WireShark and isolate FTP server and look what is going out/in there... (?)

hardwareRVR
Posts: 11
Joined: September 26th, 2017, 7:56 am

Re: Multiple FTP server on Green

Post by hardwareRVR » May 30th, 2019, 12:50 pm

Ok, but as I wrote before I can't set the PASV port range (i must redirect from 1024 to 65535 ?) or change FTP-CONTROL port in the device.
This is the response of ftp server.
ftp2.jpg
Our client have 2 of our systems that use this ethernet module placed at least 200 Km air distance connected in 2 different private subnet 10.x.x.x/28 with differen gateways I can connect in FTP to both site using same public IP and port 8021 for site 1 and 8121 for site 2 and FTP run regulary as HTTP and SNMP, these 2 last services run ok also in our ipfire network.
I'm using an IpFire for our lan in outgoing and another IpFire for the second network as incoming connected to these FTP services, both IpFire are in out public subnet x.x.x.x/28, first use ip x.x.x.2 and the other x.x.x.14 and I'm calling x.x.x.14 port yyyy
I don't know the infrastructure of our client but at this point I suppose that IpFire haven't the right function to permit the FTP service in multi with different ports than 21.

I have tried to set also a redirections of a port range to the same server and also if server reply to PASV cmd with a port in this range no LIST appear.

Thank you very much for help.
Now I must deattach systems from firewall I must try later again.

Regards
Andrea T.

User avatar
ruhrik
Posts: 40
Joined: December 31st, 2014, 7:54 am

Re: Multiple FTP server on Green

Post by ruhrik » May 30th, 2019, 1:08 pm

till I write some guide how to detect ports...

https://slacksite.com/other/ftp.html

User avatar
ruhrik
Posts: 40
Joined: December 31st, 2014, 7:54 am

Re: Multiple FTP server on Green

Post by ruhrik » May 30th, 2019, 5:10 pm

I have iptraf-ng installed and created first rule with "a" (add) pressed [it works like a=add and i=insert rules] on keyboard
1./
aaa.bbb.ccc.ddd - IP from we look for communication into firewalls RED adapter
255.255.255.255 - only this one IP (=aaa.bbb.ccc.ddd)
0 - on port means all ports
Y - all IP - any protocol (?)
I - include to show it

Image

2./ press I for insert before the rule with IP aaa.bbb.ccc.ddd
fill in what needed - for example we DON'T need communication on port 444 (web gui ipfire) or 8080 (web gui router) also we should give E - for exclude
Image
- you don't need to fill in zeros - it will be filled in automaticaly (edit rule again to see it)
- you can define port ranges (444 - for example 555) - but we need to see on which ports it sends data also exclude as little as possible (mostly one port for one app web-gui and so one)

create so many filter rules as needed

and when You start sending something through FTP You will see where are most increasing numbers (bytes, packets) - also on these ports is the DATA flow - also You can think You should as second rule create DATA PORT RANGE nearby these port numbers - about 200+ and 200- (?)
- every new connection reuses after a while same ports for data transfer - also look carefully for the numbers :)

Image

good luck :)

hardwareRVR
Posts: 11
Joined: September 26th, 2017, 7:56 am

Re: Multiple FTP server on Green

Post by hardwareRVR » May 31st, 2019, 9:37 am

:)
Hi,
I have find the solution.
I don't know if there is a easier mode like GUI to insert these iptables rules in the CONNTRACK chain than used by me but need to add the port used for alternative FTP ports redirected to port 21 of the server.
In /etc/init.d/firewall there is a row like this for port 21 standard FTP
iptables -t raw -A CONNTRACK -p tcp --dport 21 -j CT --helper ftp

Must be added a row for each alternative port ie port 8021 to 21:

iptables -t raw -A CONNTRACK -p tcp --dport 8021 -j CT --helper ftp

I have added by hand from prompt this rule and listing appear.
Next first multi ftp server system I need to install I test with all

Thanks for help

Regards
Andrea T.

User avatar
ruhrik
Posts: 40
Joined: December 31st, 2014, 7:54 am

Re: Multiple FTP server on Green

Post by ruhrik » May 31st, 2019, 12:28 pm

that sounds good :)

will try to test sometimes...

perhaps this is something other than the passive port range what I wroted about...

it looks like the right solution !

thank You. :)

hardwareRVR
Posts: 11
Joined: September 26th, 2017, 7:56 am

Re: Multiple FTP server on Green

Post by hardwareRVR » May 31st, 2019, 1:30 pm

Yes,
these rules enable the forwarding of the range 1024:65535 also with port added not only for 21 as FTP option in Application Layer Gateway enabled
ftp3.jpg
ftp3.jpg (4.83 KiB) Viewed 914 times
Adding the lines the rule
iptables -A CONNTRACK -m conntrack --ctstate RELATED -m helper --helper ftp -p tcp --dport 1024: -j ACCEPT
is enabled also for the other ports, the "limitation" is that you must define a set of ports and use only these for these services.
I have added line in /etc/rc.d/firewall script and rebooted firewall ad now I can use port 8021 for FTP, so I have added ports 8021, 8121, 8221, etc for our device with FTP server on board.

Thak you for say me the Firewall Options page with ALG setting.

I think if you need to use the other services in ALG with different ports on public WAN you must add rules line with proper ports in propers sections of the script.

May be a good idea to insert an add-on to have a GUI for this purpose, or already exist and I don't know it's name.

Regards
Andrea T.

Post Reply