Network Scheme - IP addresses are fictitious
Firewall SO: Centos 6
I recently enabled two-factor authentication, using Google Authenticator, and with that transfers via SCP for some users were impossible to carry out. So the solution I found was to transfer files via FTP (active), using VSFTP (Ubuntu 22.04 LTS). I am using active FTP due to strict network restrictions at my university (passive FTP is not allowed). I was able to successfully redirect the SSH access to the server. However, I am having difficulties with FTP. I've already tried several rules, and read a lot of documentation and tips on forums.
Firewall. Open ports:
- 22/TCP, 2222/TCP, 65020/TCP, 65021/TCP.
Internal server. Open ports:
- 20/TCP, 21/TCP, 22/TCP.
Requests received on port 22/TCP to access the firewall via SSH.
Requests received on port 2222/TCP on the firewall are redirected to port 22/TCP (SSH) on the internal server.
Requests received on port 65020/TCP on the firewall are redirected to port 20/TCP (FTP-DATA) on the internal server.
Requests received on port 65021/TCP on the firewall are redirected to port 21/TCP (FTP) on the internal server.
The following are the firewall IPTABLES rules:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 65020 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 65021 -j ACCEPT iptables -t nat -A PREROUTING -p tcp -m tcp --dport 65020 -j DNAT --to-destination 192.168.0.2:20 iptables -t nat -A PREROUTING -p tcp -m tcp --dport 65021 -j DNAT --to-destination 192.168.0.2:21 iptables -t nat -A PREROUTING -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.0.2:22 iptables -t nat -A POSTROUTING -j MASQUERADE iptables -P INPUT DROP iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT Port 2222/TCP redirect works perfectly. I can access the internal server via SSH. Access via FTP is not working. I get the following message from Filezilla:
Status: Connecting to 172.17.1.212:65021... Status: Connection established, waiting for welcome message... Status: Insecure server, it does not support FTP over TLS. Status: Server does not support non-ASCII characters. Status: Logged in Status: Retrieving directory listing... Command: PWD Response: 257 "/" is the current directory Command: TYPE I Response: 200 Switching to Binary mode. Command: PORT 172,17,1,253,233,145 Response: 500 Illegal PORT command. Command: PASV Response: 227 Entering Passive Mode (192,168,0,2,56,33). Command: LIST Error: Connection timed out after 20 seconds of inactivity Error: Failed to retrieve directory listing
I've tried other rules, but I won't put them here because I don't want to clutter up the post with unnecessary information.
The "nf_conntrack_ftp" module is loaded.
# lsmod | grep ftp nf_conntrack_ftp 12081 0 nf_conntrack 79761 7 nf_conntrack_ftp,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state The IPV4 forwarding is loaded too:
# sysctl -p | grep "net.ipv4.ip_forward" net.ipv4.ip_forward = 1 FTP access via the internal network works fine (I use Filezilla's active mode option).
Can anyone help me understand what I'm doing wrong?
My best regards.
