First thing I should say is about the FTP active/passive mode, or say PORT/PASV mode.
We can read the differences from wikipedia or Active FTP vs. Passive FTP, a Definitive Explanation.
The two mode indicates who initialise the data connection and the active/passive is used to describe server’s action.
Active mode: server create a connection to the port client gives.
Passive mode: server receive a connection from a client.
I saw a program implements its own ftp client, only active mode is supported, which means the server must have a *direct* access to any port client tells server to connect to, and the program is NOT patchable.
I need to make this program running behind a router and many many levels of VPN/PPPoE servers, if I want ftp client working, I have to set up lots of NAT and port forwarding, if I have more than one client, I may need dynamic port forwarding, that is a bad solution.
CLIENTS ======> VPN/PPPoE Server 1 =======> VPN/PPPoE Server 2 =======> VPN/PPPoE Server 3 =======> SERVER NETWORK
Good news is the FTP server supports passive mode, if I can set up a proxy/gateway in the same subnet clients locate, which can forward the active mode to a passive mode connection, clients may work.
CLIENTS =======FTP=ACTIVE=MODE======> PROXY/GATEWAY ======FTP=PASSIVE=MODE======> SERVER
I found a FTP proxy: jftpgw.
jftpgw is an FTP proxy/gateway that uses the FTP protocol (unlike those FTP proxies that fetch an FTP file but work as an http proxy). You can use it to make servers behind a firewall/NAT server (masquerading server) accessible or to allow users behind such solutions to transfer files to and from the outside of the LAN.
Environment
Remote FTP Server IP/Port: 10.200.3.3/21
FTP account/password: aaaaaa/bbbbbb
VPN/PPPoE Server: 172.16.10.1
VPN/PPPoE Subnet: 172.16.20.0/24
PPPoE device on Server: ppp2560 (by setting up unit in peers’ config)
PPTP/L2TP: Notes: PPTP/L2TP Server on Ubuntu
PPPoE: Set up PPPoE Server on Ubuntu
Configuration
jftpgw
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 |
<global> # serverport - the port the client connects to if none is specified serverport 21 # defaultmode - the transfermode between the proxy and the server # active: use active FTP # asclient: choose the one the client chooses # passive: use passive FTP defaultmode asclient #defaultmode active # debuglevel ranging from 1 to 9 # 1: the most silent # 9: the most verbose debuglevel 6 # dropprivileges - when to drop root privileges if the proxy is started # as root # start: right after startup # startsetup: after inital setup (bind, logfile, pid file) # connect: as soon as a client connects (forking process stays with UID # root) # connectsetup: after connect and some setup # never: never drop privileges completely but still change EUID dropprivileges startsetup # runasuser - username to switch to runasuser nobody # runasgroup - groupname to switch to # runasgroup nogroup # loginstyle - specify how the client will tell the proxy where it # wants to connect to # # 0: USER name will be passed on as is # 1: USER without login # 2: USER with login # 3: SITE with login # 4: SITE without login # 5: OPEN with login # 6: OPEN without login # 7: CheckPoint FW1 - USER user@fwuser@real.host.name # 8: USER fwuser@real.host.name # 9: USER user@host FireID loginstyle 1 # logintime - specify when the proxy will connect to the target host. # Please note that there are some incompatibilities with the different # loginstyles. # connect: upon the connection of the client (for transparent proxying, # or for a "forward *@123.123.123.123" setting) # user: after the proxy has received the remote user name # pass: after the proxy has received the remote password logintime user # activeportrangeserver </global> <servertype standalone> # listen - List of IP adresses and port numbers on which the proxy will # listen, separate by whitespace listen 0.0.0.0:21 # logstyle - how to log # syslog: log to syslog # files: log to a logfile logstyle files # logfile - specify the logfile (if logstyle = files) logfile /opt/jftpgw/jftpgw.log # pidfile - where to store the file containing the PID of the master # process pidfile /var/run/jftpgw.pid </servertype> <servertype inetd> logstyle syslog </servertype> # first we deny access from anywhere, following the rule: everything that is # not allowed explicitly is forbidden <from 0.0.0.0/0> access allow </from> # forward by user <user aaaaaa> forward 10.200.3.3 * bbbbbb </user> |
iptables
This should be set up at VPN Server 1 to hijack connections and forward to local ftp proxy.
1 2 |
iptables -t nat -A PREROUTING -i ppp+ -p tcp -d 10.200.3.3 --dport 21 -j REDIRECT --to-destination 172.16.10.1:21 iptables -t nat -A POSTROUTING -s 172.16.20.0/24 -o ppp2560 -j MASQUERADE |