FTP access from outside

FTP access from outside

[Dimitri Yioulos]

Hello, colleagues.

I'm embarassed to ask for help on this (it should be trivial to set up), but 
I'm having no luck:

I'd like to enable FTP access to my web server, which is sitting in a DMZ, 
from outside.  I've add proftpd, and believe I've set it up properly.  I can 
access FTP from my LAN, but not from outside.  I've added the following rules 
to allow access:

-A FORWARD -p tcp -m tcp -d 192.168.1.3 -i eth0 -o eth2 --dport 21 -j ACCEPT
-A PREROUTING -p tcp -m tcp -d 67.x.x.x -i eth0 --dport 21 -j DNAT 
--to-destination 192.168.1.3
-A POSTROUTING -s 192.168.1.3 -o eth0 -j SNAT --to-source 67.x.x.x

where eth0 is public interface and eth2 is DMZ interface

What have I missed (or messed up)?

As always, thanks.

Dimitri

Re: FTP access from outside

[Dimitri Yioulos]

On Thursday May 5 2005 10:37 am, you wrote:
> > What have I missed (or messed up)?
>
> You have the ip_conntrack_ftp and ip_nat_ftp modules loaded?  And a rule to
> pass ESTABLISHED and RELATED?

George,

I beleive I have the rule to pass ESTABLISHED and RELATED, but an lsmod shows 
I don't have the ip_nat_ftp modules loaded.  Would load that by doing an 
"insmod /dirwhereitlives/ip_nat_ftp.o"?

Thanks.

Dimitri

Re: FTP access from outside

[Daniel Wittenberg]

On Thu, 2005-05-05 at 10:48 -0400, Dimitri Yioulos wrote:
> On Thursday May 5 2005 10:37 am, you wrote:
> > > What have I missed (or messed up)?
> >
> > You have the ip_conntrack_ftp and ip_nat_ftp modules loaded?  And a rule to
> > pass ESTABLISHED and RELATED?
> 
> George,
> 
> I beleive I have the rule to pass ESTABLISHED and RELATED, but an lsmod shows 
> I don't have the ip_nat_ftp modules loaded.  Would load that by doing an 
> "insmod /dirwhereitlives/ip_nat_ftp.o"?

Just use 'modprobe ip_nat_ftp' in cases like this.  You don't need to
specify the whole path to loading modules.  You'll also get errors using
insmod if there are dependencies not loaded.

Dan

Re: FTP access from outside

[Dimitri Yioulos]

On Thursday May 5 2005 11:06 am, you wrote:
> On Thu, 2005-05-05 at 10:48 -0400, Dimitri Yioulos wrote:
> > On Thursday May 5 2005 10:37 am, you wrote:
> > > > What have I missed (or messed up)?
> > >
> > > You have the ip_conntrack_ftp and ip_nat_ftp modules loaded?  And a
> > > rule to pass ESTABLISHED and RELATED?
> >
> > George,
> >
> > I beleive I have the rule to pass ESTABLISHED and RELATED, but an lsmod
> > shows I don't have the ip_nat_ftp modules loaded.  Would load that by
> > doing an "insmod /dirwhereitlives/ip_nat_ftp.o"?
>
> Just use 'modprobe ip_nat_ftp' in cases like this.  You don't need to
> specify the whole path to loading modules.  You'll also get errors using
> insmod if there are dependencies not loaded.
>
> Dan

Thank you both for the info.  I'm waiting for my outside tester to report 
back; hopefully he can now connect.

Let me really show the depths of my ignorance and ask, how do I install the 
modules permanently?

as always, thanks.

Dimitri

Re: FTP access from outside

[Jörg Harmuth]

Dimitri Yioulos schrieb:
[snip]

> ... how do I install the 
> modules permanently?
> 

Compile it into the kernel, meaning: make shure during kernel
configuration that there is "[*]" or "<*>" and not "<M>" in front of the
respective option (assuming "make menuconfig").

If you don't like this, you can configure your runlevel(s) to execute a
script, that loads the module(s).

Have a nice time,

Joerg

Re: FTP access from outside

[Dimitri Yioulos]

On Friday May 6 2005 7:37 am, Vinay Amarnath wrote:
> >  I have added these modules to load during booting process by adding
> > the following lines to /etc/ec.local
>
> Sorry for the mistake. Its /etc/rc.local
>
> Thanks
> Vinay.K.A ,  RHCE
>
> System Administrator
> Intila Systems, Bangalore

Thank you all so much for your help.  Based on everyone's input, I've got ftp 
working from the outside ... sorta.  Yesterday, I tried accessing the ftp 
server using another company in our building's system, and it worked 
beautifully.  However, a user in the Phillipines who I'm trying to give 
access to says he can't connect.  I've tried his uname and password and they 
work fine.  Might it be a source port issue?  I realize this isn't an 
ftp-related list, but may I ask, can he specify a source port on his end to 
ftp into my site, rather than me having to tinker with anything on my end?

Once again, thanks.

Dimitri