First thing I should say is about the FTP active/passive mode, or say PORT/PASV mode.
We can read the differences from wikipedia or Active FTP vs. Passive FTP, a Definitive Explanation.
The two mode indicates who initialise the data connection and the active/passive is used to describe server’s action.
Active mode: server create a connection to the port client gives.
Passive mode: server receive a connection from a client.
I saw a program implements its own ftp client, only active mode is supported, which means the server must have a *direct* access to any port client tells server to connect to, and the program is NOT patchable.
I need to make this program running behind a router and many many levels of VPN/PPPoE servers, if I want ftp client working, I have to set up lots of NAT and port forwarding, if I have more than one client, I may need dynamic port forwarding, that is a bad solution.
CLIENTS ======> VPN/PPPoE Server 1 =======> VPN/PPPoE Server 2 =======> VPN/PPPoE Server 3 =======> SERVER NETWORK
Good news is the FTP server supports passive mode, if I can set up a proxy/gateway in the same subnet clients locate, which can forward the active mode to a passive mode connection, clients may work.
CLIENTS =======FTP=ACTIVE=MODE======> PROXY/GATEWAY ======FTP=PASSIVE=MODE======> SERVER
I found a FTP proxy: jftpgw.
jftpgw is an FTP proxy/gateway that uses the FTP protocol (unlike those FTP proxies that fetch an FTP file but work as an http proxy). You can use it to make servers behind a firewall/NAT server (masquerading server) accessible or to allow users behind such solutions to transfer files to and from the outside of the LAN.
Remote FTP Server IP/Port: 10.200.3.3/21
FTP account/password: aaaaaa/bbbbbb
VPN/PPPoE Server: 172.16.10.1
VPN/PPPoE Subnet: 172.16.20.0/24
PPPoE device on Server: ppp2560 (by setting up unit in peers’ config)
# serverport - the port the client connects to if none is specified
# defaultmode - the transfermode between the proxy and the server
# active: use active FTP
# asclient: choose the one the client chooses
# passive: use passive FTP
# debuglevel ranging from 1 to 9
# 1: the most silent
# 9: the most verbose
# dropprivileges - when to drop root privileges if the proxy is started
# as root
# start: right after startup
# startsetup: after inital setup (bind, logfile, pid file)
# connect: as soon as a client connects (forking process stays with UID
# connectsetup: after connect and some setup
# never: never drop privileges completely but still change EUID
# runasuser - username to switch to
# runasgroup - groupname to switch to
# runasgroup nogroup
# loginstyle - specify how the client will tell the proxy where it
# wants to connect to
# 0: USER name will be passed on as is
# 1: USER without login
# 2: USER with login
# 3: SITE with login
# 4: SITE without login
# 5: OPEN with login
# 6: OPEN without login
# 7: CheckPoint FW1 - USER user@email@example.com
# 8: USER firstname.lastname@example.org
# 9: USER user@host FireID
# logintime - specify when the proxy will connect to the target host.
# Please note that there are some incompatibilities with the different
# connect: upon the connection of the client (for transparent proxying,
# or for a "forward *@188.8.131.52" setting)
# user: after the proxy has received the remote user name
# pass: after the proxy has received the remote password
# listen - List of IP adresses and port numbers on which the proxy will
# listen, separate by whitespace
# logstyle - how to log
# syslog: log to syslog
# files: log to a logfile
# logfile - specify the logfile (if logstyle = files)
# pidfile - where to store the file containing the PID of the master
# first we deny access from anywhere, following the rule: everything that is
# not allowed explicitly is forbidden
# forward by user
forward 10.200.3.3 * bbbbbb
This should be set up at VPN Server 1 to hijack connections and forward to local ftp proxy.
iptables -t nat -A PREROUTING -i ppp+ -p tcp -d 10.200.3.3 --dport 21 -j REDIRECT --to-destination 172.16.10.1:21
iptables -t nat -A POSTROUTING -s 172.16.20.0/24 -o ppp2560 -j MASQUERADE