Results 1 to 2 of 2

Thread: FTP NAT problem

  1. #1
    Join Date
    Sep 2012

    FTP NAT problem

    Have PC on LAN configured as FTP (Windows 10, Firewall OFF) -
    Between pc's on LAN work ok but where connecting behind SERVER got logs:

    10/04/2019 18:24:08 (not login<-- "220 Xlight FTP Server 3.9 ready..."
    10/04/2019 18:24:08 (not login> "USER backupall"
    10/04/2019 18:24:08 (not login<-- "331 Password required for backupall"
    And thats all. After that connection is closed.

    masquerade is on

    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    On server got rule on firewall
    iptables -I FORWARD -p tcp -d --dport 21 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp -i enp4s0 --dport 2000 -j DNAT --to
    iptables -I FORWARD -p tcp -d --dport 50000:50100 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp -i enp4s0 --dport 50000:50100 -j DNAT --to
    Please help...

  2. #2
    Join Date
    Mar 2010
    Ubuntu Mate 16.04 Xenial Xerus

    Re: FTP NAT problem

    Don't use plain FTP. Use sftp, which uses the same port that ssh uses. ssh needs 1 firewall rule. Port/tcp. If it is on the internet, not using port 22 will really help your attack logs be smaller. I pick some high port, like 63590/tcp, setup that port in my ~/.ssh/config file and never worry about it again. All ssh-based tools from that client, using that userid, will pick up the non-standard port automatically. That includes sftp, scp, rsync, rdiff-backup, sshfs, and any other backup tool using libssh.

    Or better, use a better backup tool which handles incremental, versioned, backups, through an encrypted channel.

    Plain FTP should have died in 1999. If you need more reasons search this phrase "stop using plain ftp"


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts