FORWARD FTP FROM ONE SERVER TO ANOTHER
In short:
CLIENT ==>Debian SERVER A===> Debian SERVER B with ProFTPD
Passive FTP uses two ports, 21 that carries the commands and any port from about 30000 to 65000 to transfer data.
When the client reaches the final FTP server (server B) it has the IP of the server A (as the client IP was Nated y server A), the server B answers with the port number to use for data transfer, this answer goes through A server then to the client…. At this moment the client knows what port to use for data transfer and try to connect to this port.
The problem is that the client instead of connecting to the server A that would forward to the server B, it goes directly into the B server which, of course, does not know what it wants as the IP is different from the server A (that Nated the client IP) to which it answered earlier.
How is it possible to have the client connect to the data port through the same path (Client ==>Server ==>A ==> Server B) ?
Does anybody as a solution for that problem?
For your info the server is a Debian Lenny
nfconntrack and nfconntrack_ftp are enabled
ip forwarding is enabled too
IPtables are: (the firewall is open when testing)
-A PREROUTING -p tcp -m tcp -d Server A -i eth0 --dport 21 -j DNAT --to-destination Server B
-A POSTROUTING -p tcp -m tcp -o eth0 --dport 21 -j MASQUERADE
-A PREROUTING -p tcp -m tcp -m state --dport 30000:65534 --state RELATED -j DNAT --to-destination Server B:30000-65534
-A POSTROUTING -p tcp -m tcp -m state -o eth0 --dport 30000:65534 --state RELATED -j MASQUERADE
Also for your information, with this configuration, I could make it work perfectly on 2 servers (I have 3 servers on 3 different public network), but one of the server (the one I want it to work!) is not working properly. For example, if I browse the FTP with Firefox it works perfectly. If I use Filezilla it does not browse folders & files. If I use my iPhone FTP application with my Wifi connection it works, if I use the same one with the G3 (telephone) connexion it does not.
Since this server is in a data center I thought that maybe the data center does not have a transparent connexion, so I asked them to verify. But they are sure not to go through firewall, my server is connected directly to Internet.
I have tried all solution, spent several days, this is why I need help…and I thank you from the bottom of my heart in advance.
9 Replies
Server A (don't run an ftp server let ssh start listeners on the ftp ports)
ssh -L 127.0.0.1:20:127.0.0.1:20 Server-B-IP-Address
ssh -L 127.0.0.1:21:127.0.0.1:21 Server-B-IP-Address
This might not work for passive ftp if it requires a large range of ports.
If it works then there are better ways like stunnel lets you define that configuration in a script.
@PatriceVigier:
Thank you very much for your help but my server is a public server I must use standard connexion.
SSH is a standard connection… It's server A making an SSH connection to server B. None of the clients ever touch SSH.
Basically, the SSH daemon on server A listens on ports 20 and 21, and all incoming data on those ports is transparently tunneled to server B's ports 20 and 21 over the SSH tunnel. It's a strictly internal thing (the outside world has no way of knowing SSH is involved), but the problem is that I'm not sure it will actually work.
For one thing, all FTP connections on server B will appear to be from localhost. For another thing, FTP is a really dumb protocol, and I'm not sure if active or passive mode will work. In active mode, the client tells the server where to connect (and I'm not sure if the client will be happy that it asks server A to connect to it, but server B does instead), and in passive mode, the server tells the client where to connect (and I'm not sure the client will be happy to be told to connect to a different IP). I don't know, maybe it would work just fine. I hate FTP and haven't used it in many years for these reasons.
echo 1 >/proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 21 --to-destination SERVER-B-IP
iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 20 --to-destination SERVER-B-IP
iptables -t nat -A POSTROUTING -p tcp --dport 21 -j MASQUERADE
iptables -t nat -A POSTROUTING -p tcp --dport 20 -j MASQUERADE
Heres a link that helps explain it in more detail.
The above article uses a product named JSCAPE MFT Server.
@PatriceVigier:
What I want to do is to connect to a server A (connected to a public IP) and forward the FTP connexion to server B (Connected to another public IP).
That's bad design. Sure you could do it or fake it by remote mounting the files from B onto A, or syncing them with rsync or unison but it's still bad design.
If you can get the clients to use the right FTP server instead that would be far better.
@sednet:
@PatriceVigier:What I want to do is to connect to a server A (connected to a public IP) and forward the FTP connexion to server B (Connected to another public IP).
That's bad design. Sure you could do it or fake it by remote mounting the files from B onto A, or syncing them with rsync or unison but it's still bad design.
If you can get the clients to use the right FTP server instead that would be far better.
I agree but I have no choice, there are 60Gb of images on the last server and I have no room on the server where the URL goes.