Configuring FTP server behind a NAT

We often access the Internet without having a valid IP address (expensive and not needed for the clients) but through a “proxy”. It can be an IP Masq, Proxy server or NAT (Network Address Translation) that has public IP addresses (valid) visible on the Internet. They are similar in the sense that they represent clients, perform IP address translation into their own address, and fake connection to the remote server as if they were making the request instead of an internal client.

NAT can also be applied to servers such as FTP server, and multiple servers that can be behind NAT and use a single IP address (cheap). NAT improves security, it hides real servers behind it and it is usually the task of a firewall. Incoming packets are forwarded to the internal server after “PREROUTING”. However, passive FTP data transfer is not natively compatible with NAT. But NAT functionality is possible in recent ProFTPD packages.

Passive mode
Passive mode is widely used because it is safe and convenient for clients. This mode does not require the client’s firewall to allow to open a port in advance to listen. Instead, it requires the server to open a port and return the port address. The server listens on that port and the client connects to it. When you download the files on this site, you will connect to Omarine FTP server in passive mode.

Configuration
With the default configuration in Omarine you already have an FTP server with basic functionality. To use with NAT you add the MasqueradeAddress directive to your proftpd.conf configuration file to indicate the domain name (or IP address) of the NAT, for example:

MasqueradeAddress ftp.omarine.org
#MasqueradeAddress 35.200.224.211

Now your server (proftpd) will hide its local address and instead use the public address of the NAT.
Next, add the PassivePorts directive to control which ports the server uses to transfer its passive data:

PassivePorts 60000 65535

This is the actual configuration that is being used on the Omarine FTP server. Of course, ports 60000 through 65535 must be allowed on the NAT in firewall rules to receive incoming packets. But, I told you my address and port number, do not attack me :-).

All 5536 ports from 60000 to 65535 are safe because there is no other process on Omarine that listens to those ports. Exactly, you can run the nmap command to check:

nmap -sT -p 60000-65535 localhost

Running the ftp command to access the FTP server in passive mode
You can access the Omarine FTP server by running the following ftp command:

ftp -p ftp.omarine.org

Notice the output:

227 Entering Passive Mode (35,200,224,211,237,70).

The numbers in parentheses represent the IP address and passive port number, which are in the form of (a1,a2,a3,a4,p1,p2), where the IP address is:

a1.a2.a3.a4

The actual value is

35.200.224.211

The port number is p1 * 256 + p2 = 237 * 256 + 70 = 60742

Clearly port 60742 is in the range of 60000-65535.

Your sharing of this article will add to my excitement in writing new articles. Please share!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.