WAN to LAN proftpd redirect rule

Support for security such as Firewalls and securing linux
Post Reply
red-nosse
Posts: 5
Joined: 2015/02/08 20:49:09

WAN to LAN proftpd redirect rule

Post by red-nosse » 2019/08/31 15:51:45

Greetings.
Have a nice day.
I am currently studying and doing a virtualized lab on my entire CentOS-7 PC and I need some help with CentOS Firewalld I will describe my doubt.
The WAN network of my firewall is 192.168.10.0/24 and the LAN network is 10.10.10.0/24.
So my firewall share internet on LAN, and on this same LAN I have a WEB server, DNS, dhcp and a server "proftpd IP 10.10.10.7" where is causing me the only doubt. Proftp is a dedicated server for ftp and web only. So I would like to know which Firewall Redirect rule I have that I have to create to redirect and allow FTP server access coming from WAN IP addresses?
On my LAN I managed to get users to authenticate to FTP, I even added a rule to redirect WAN traffic to LAN to get ftp://10.10.10.7, but I was unsuccessful.
can you help me with this, please?

Code: Select all

firewall-cmd --permanent --zone=external --add-forward-port=port=21:proto=tcp:toport=21:toaddr=10.10.10.7 
I added this firewall redirect to the FTP server IP, but I can't log in from the WAN network.

Code: Select all

[root@firewall ~]# firewall-cmd --zone=external --list-all 
external (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: ssh openvpn
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: port=80:proto=tcp:toport=80:toaddr=10.10.10.7
        port=2222:proto=tcp:toport=22:toaddr=10.10.10.7
        port=2220:proto=tcp:toport=22:toaddr=10.10.10.2
        port=2221:proto=tcp:toport=22:toaddr=10.10.10.3
        port=2223:proto=tcp:toport=22:toaddr=10.10.10.4
        port=2224:proto=tcp:toport=22:toaddr=10.10.10.5
        port=21:proto=tcp:toport=21:toaddr=10.10.10.7
  source-ports: 
  icmp-blocks: 
  rich rules: 
Below are the ftp / web server rules.

Code: Select all

[root@web ~]# firewall-cmd --zone=external --list-all 
external
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

[root@web ~]# firewall-cmd --zone=public --list-all 
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens32
  sources: 
  services: ftp http dhcpv6-client ssh https mysql
  ports: 22/tcp 21/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

[root@web ~]# 

User avatar
TrevorH
Forum Moderator
Posts: 27125
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: WAN to LAN proftpd redirect rule

Post by TrevorH » 2019/08/31 16:53:26

You'll have trouble forwarding ports for ftp. It's a dreadful protocol that allocates dynamic ports with random numbers and uses those for data connections. You can forward port 21 easily enough but it also wants port 20 and then it opens and uses ports on random numbers through a massive range.

I'd say pick some other file transfer protocol to use - sftp goes over ssh and uses a single port...
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

red-nosse
Posts: 5
Joined: 2015/02/08 20:49:09

Re: WAN to LAN proftpd redirect rule

Post by red-nosse » 2019/08/31 17:11:54

Ok, I got it.
Similarly for the sake of knowledge I would like to know what are the redirection rules in CentOS7 firewalld for LAN ftp service.

Currently the proftpd service logs are like this when I access from the external "network".

Code: Select all

[root@web ~]# tailf /var/log/proftpd/proftpd.log
2019-08-31 11:57:15,556 web proftpd[12354] 10.10.10.7 (192.168.10.8[192.168.10.8]): FTP session opened.
2019-08-31 11:57:15,565 web proftpd[12354] 10.10.10.7 (192.168.10.8[192.168.10.8]): USER anonymous: no such user found from 192.168.10.8 [192.168.10.8] to 10.10.10.7:21
2019-08-31 11:57:15,566 web proftpd[12354] 10.10.10.7 (192.168.10.8[192.168.10.8]): FTP session closed.
2019-08-31 11:57:15,569 web proftpd[12355] 10.10.10.7 (192.168.10.8[192.168.10.8]): FTP session opened.
2019-08-31 14:57:24,210 web proftpd[12355] 10.10.10.7 (192.168.10.8[192.168.10.8]): USER user: Login successful.
2019-08-31 15:02:24,415 web proftpd[12355] 10.10.10.7 (192.168.10.8[192.168.10.8]): Passive data transfer failed, possibly due to network issues
2019-08-31 15:02:24,415 web proftpd[12355] 10.10.10.7 (192.168.10.8[192.168.10.8]): Check your PassivePorts and MasqueradeAddress settings,
2019-08-31 15:02:24,415 web proftpd[12355] 10.10.10.7 (192.168.10.8[192.168.10.8]): and any router, NAT, and firewall rules in the network path.
2019-08-31 15:02:24,415 web proftpd[12355] 10.10.10.7 (192.168.10.8[192.168.10.8]): FTP no transfer timeout, disconnected
2019-08-31 15:02:24,416 web proftpd[12355] 10.10.10.7 (192.168.10.8[192.168.10.8]): FTP session closed.

User avatar
jlehtone
Posts: 2427
Joined: 2007/12/11 08:17:33
Location: Finland

Re: WAN to LAN proftpd redirect rule

Post by jlehtone » 2019/09/01 14:36:00

Your error message yields in websearch: http://www.proftpd.org/docs/howto/NAT.html

That might explain what should be done for passive ftp on NAT. Lets see: https://serverfault.com/questions/25242 ... h-iptables

There is also ip_conntrack_ftp kernel module, but perhaps that is not for the router?
https://major.io/2007/07/01/active-ftp- ... -iptables/
https://linuxconfig.org/how-to-setup-vs ... at-7-linux

red-nosse
Posts: 5
Joined: 2015/02/08 20:49:09

Re: WAN to LAN proftpd redirect rule

Post by red-nosse » 2019/09/03 18:04:25

I still can't solve it.

red-nosse
Posts: 5
Joined: 2015/02/08 20:49:09

Re: WAN to LAN proftpd redirect rule

Post by red-nosse » 2019/09/06 20:41:25

Good afternoon everyone.
So gentlemen, after a long time I managed to solve the problem of not being able to access intranet ftp service over WAN network.
I already had a redirect rule that was incomplete, so I've been studying and analyzing network packets and as you all know the ftp server uses ports 20 and 21, so studying how is the behavior of ftp and along firewalld saw that was missing one more rule in my edge firewall since the FTP service was running on the LAN.
The first rule I had ever created was correct and one more was missing.

Code: Select all

firewall-cmd --permanent --zone=external --add-forward-port=port=30000:proto=tcp:toport=40000:toaddr="Ftp server IP"
Still, thank you all for helping me.
https://www.deskshare.com/resources/art ... ow-to.aspx

red-nosse
Posts: 5
Joined: 2015/02/08 20:49:09

Re: WAN to LAN proftpd redirect rule

Post by red-nosse » 2019/09/17 15:06:12

Thank you all for your time and dedication. :geek:

Post Reply

Return to “CentOS 7 - Security Support”