FTP issue | Not connection could be made

[feerdispzoo]

We use one primary ipv4 from dedicated server with free ipv4 address for created VPS's with different ports.


Everything working correct, but is only problem with FTP
I add port 21 in domain forwarding and I can login to ftp, but not possible get directories.

Below is issue:

 

[Richard G]

You're using a home ip range, so that is NAT.
In this case, only forwarding port 21 is not enough because you need passive FTP to get a connection.

Directadmin uses portrange 35000:35999 for passive FTP. You need to forward that range too.

 

[feerdispzoo]

Hello @Richard G

Thanks for the clarification! Please see what I do:

First I allowed this range ports:
HAProxy Allowed Ports for HTTP(S) and TCP 35000-35999

But the problem is, I cannot add portrange 35000:35999 or 35000-35999 id domain forwarding.

I can use one port per one forwarding. Example;

14 (vmi50rr.rxxxxxx.net)

localhost

TCP

65.xx.xx.xxx

35000

10.0.0.12

35000

15 (vmi50rr.xxxxxx.net)

localhost

TCP

65.xx.xx.xxx

35001

10.0.0.12

35001

and the range is very hight, and im not sure how to resolve now?

 

[Richard G]

But the problem is, I cannot add portrange 35000:35999 or 35000-35999 id domain forwarding.

I never work with HAProxy.

But I'm sorry, I made a mistake. I was thinking from Directadmin, but that 10.0.0.12 ip is not using Directadmin right?

In that case, you have to configure 2 things. The FTP server running on 10.0.0.12 must be configured to accept PASV (passive) FTP connections.
You have to setup a port range for that too, but it does not need to be 1000 ports.
Try setting up your FTP server with pasv port range and for example use the port range 35000-3510. That's easier to forward.

If that's not enough, add to 20 ports.

If you -are- using DA at home, then you should open the correct portrange 35000-35999 with CSF/LFD. I have no clue on how that works in HAProxy.
However, it can be done. I found this for you on the internet.

How to configure haproxy port range to range one by one?

I want to use haproxy to deploy one ftp proxy server. Here's scene: ftp client <---> ftp-proxy-server(ip:10.0.1.1) <---> ftp-server(ip:172.126.1.1) ftp server listen on port 21 for control

stackoverflow.com

 

[feerdispzoo]

@Richard G
Thank you for your tip. Base on your hint, I also found this:

proftpd passive connections though firewall

What ports do you folks have open? Do you open the entire ephemeral port range? (49152-65534). I am having some problems with proftpd not working with passive connections and just wondering what you have open.

forum.directadmin.com

What I do:
I change portrange in:
/etc/proftpd.conf

PassivePorts 49152 49171

Then I restart proftpd

Now I add this range ports 49152 49171 step by step in domain forwarding.

Now I try connect from ftp client but still the same.


Here I see one more thing:
On ipchains, we add these lines to /etc/sysconfig/ipchains:

# hole in firewall to allow passive ftp
-A input -s 0/0 -d 0/0 49152 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49153 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49154 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49155 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49156 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49157 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49158 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49159 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49160 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49161 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49162 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49163 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49164 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49165 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49166 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49167 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49168 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49169 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49170 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49171 -p tcp -y -j ACCEPT

and then restart ipchains.


But im not sure where I should put this:
[root@vmi50rr ~]# cd /etc/sysconfig
[root@vmi50rr sysconfig]# ls
anaconda ebtables-config kdump network-scripts run-parts
authconfig garb kernel rdisc saslauthd
cbq grub man-db readonly-root selinux
chronyd init modules rpcbind sshd
console ip6tables-config named rpc-rquotad wpa_supplicant
cpupower iptables-config netconsole rsyncd
crond irqbalance network rsyslog

 

[Richard G]

and then restart ipchains.

You mean restart iptables?

Check also this: iptables-config
this can contain certain default lines when rebooting the vps.

Also be sure port 20 can be opened outgoing at least.

You might need to configure your proftpd to listen to all ports and to the external ip too. Because now it says it try's to connect to an unroutable address 10.0.0.12, so there is still something wrong in the FTP setup.

 

[feerdispzoo]

@Richard G

Please see, currently I alowed port range in firewall 49152:49171

Now the next:
You might need to configure your proftpd to listen to all ports and to the external ip too. Because now it says it try's to connect to an unroutable address 10.0.0.12, so there is still something wrong in the FTP setup.

I found somelike this:

Why is vsftpd (behind firewall) returning its internal ip address for the pasv address?

I'm using vsftpd on a Debian server behind another Debian firewall. The natting is correct and I can connect to the ftp server from the outside. However, when the client issues the PASV command, th...

serverfault.com

There is somelike this:
Edit to show conf options (requested in comments)

External (/etc/vsftpd.conf):

listen_port=2121
pasv_address=x.x.x.x # External IP - port forwarded from FW to this machine


So I check simmilar to and in our case edit:
/etc/proftpd.conf

But im not sure this is correct way. Can you please give me any tip how to use 10.0.0.12 ?

 

[Richard G]

Please see, currently I alowed port range in firewall 49152:49171

That's only incoming, it might be also needed outgoing.

pasv_address=x.x.x.x #

If such setting is present in your /etc/proftpd.conf you would need to use your internet ip here.

 

[Richard G]

Checked for you in the docs, you can add this:
MasqueradeAddress ftp.mydomain.com # using a DNS name
or
MasqueradeAddress 123.45.67.89 # using an IP address

Where 123.45.67.89 is your internet ip.

Got this from these docs:

ProFTPD: Firewalls, Routers, and NAT

 

[feerdispzoo]

@Richard G
im really thank you for your time.
I thought it would be easier. But unfortunately it looks terrible.

PassivePorts 49152 49171 # These ports should be safe... done


incomming / outgoing 49152:49171
restart firewall done


Now in:
/etc/proftpd.conf I add my internet address IP
MasqueradeAddress 123.45.67.89 # using an IP address

Then restart proftpd

I see this changes applied because the operating mode changed while trying to connect.

But it prints, connection correct etc, and by end return: port failed and no dispalyed directories.

I don't know what's wrong with it anymore

 

[Richard G]

As for my time, you're welcome, I like a nice challenge once a while.

Normally it shouldn't be that difficult.

Let's take it from the beginning and see what we might have missed.
What exactly are you running on that 10.0.0.12 ip address. Is that also a DA server or vps?

 

[feerdispzoo]

Ok let me explain.

I've dedicated server. Im using https://www.virtualizor.com/
I created bridge with free IPv4 / KVM virtualization
- all working

Now I create VPS, then I assign free IPv4 10.0.0.12
- nothing work yet.

I add hostname: vmi50rr.myserver1.net

(myserver1.net) is registered domain which point to Primary dedicated server IPv4

Now I point vim263cc.myserver1.net to 10.0.0.12 with TCP port 5023 to destination port 22

Now I can login to VPS SSH with:
primary ipv4 with port 5023


Then I install directadmin and build all d with custom build 2.0

directadmin, phpmyadmin, roundcube not working yet.

I need point to:

14 (vmi50rr.myserver1.net)

localhost

HTTP

vmi50rr.myserver1.net

2222

10.0.0.12

2222

Directadmin working

14 (vmi50rr.myserver1.net)

localhost

HTTP

vmi50rr.myserver1.net

80

10.0.0.12

80

Now Working phpmyadmin, roundcube etc.

Then I point domain to primary ipv4 and add domain forwarding:

14 (vmi50rr.myserver1.net)

localhost

HTTPS

mywebdomain.com

443

10.0.0.12

443

Domain pointing working correct


This port I add for working inbox email:

14 (vmi50rr.myserver1.net)

localhost

TCP

PRMARY IPV4

25

10.0.0.12

25

- working

Now I try resolve FTP connection:
First I open/forward this main port 21:

14 (vmi50rr.myserver1.net)

localhost

TCP

PRMARY IPV4

21

10.0.0.12

21

then I add rest this passive connection ports:
22 14 (vmi50rr.flexlyserver.net) localhost TCP 65.21.78.149 49152 10.0.0.12 49152

23 14 (vmi50rr.myserver1.net) localhost TCP PRIMARY IPV4 49153 10.0.0.12 49153

24 14 (vmi50rr.myserver1.net) localhost TCP PRIMARY IPV4 49154 10.0.0.12 49154

25 14 (vmi50rr.myserver1.net) localhost TCP PRIMARY IPV4 49155 10.0.0.12 49155

26 14 (vmi50rr.myserver1.net) localhost TCP PRIMARY IPV4 49156 10.0.0.12 49156

27 14 (vmi50rr.myserver1.net) localhost TCP PRIMARY IPV4 49157 10.0.0.12 49157

28 14 (vmi50rr.myserver1.net) localhost TCP PRIMARY IPV4 49158 10.0.0.12 49158

29 14 (vmi50rr.myserver1.net) localhost TCP PRIMARY IPV4 49159 10.0.0.12 49159

30 14 (vmi50rr.myserver1.net) localhost TCP PRIMARY IPV4 49160 10.0.0.12 49160

31 14 (vmi50rr.myserver1.net) localhost TCP PRIMARY IPV4 49161 10.0.0.12 49161

32 14 (vmi50rr.myserver1.net) localhost TCP PRIMARY IPV4 49162 10.0.0.12 49162

33 14 (vmi50rr.myserver1.net) localhost TCP PRIMARY IPV4 49163 10.0.0.12 49163

34 14 (vmi50rr.myserver1.net) localhost TCP PRIMARY IPV4 49164 10.0.0.12 49164

35 14 (vmi50rr.myserver1.net) localhost TCP PRIMARY IPV4 49165 10.0.0.12 49165

36 14 (vmi50rr.myserver1.net) localhost TCP PRIMARY IPV4 49166 10.0.0.12 49166

37 14 (vmi50rr.myserver1.net) localhost TCP PRIMARY IPV4 49167 10.0.0.12 49167

38 14 (vmi50rr.myserver1.net) localhost TCP PRIMARY IPV4 49168 10.0.0.12 49168

39 14 (vmi50rr.myserver1.net) localhost TCP PRIMARY IPV4 49169 10.0.0.12 49169

40 14 (vmi50rr.myserver1.net) localhost TCP PRIMARY IPV4 49170 10.0.0.12 49170

41 14 (vmi50rr.myserver1.net) localhost TCP PRIMARY IPV4 49171 10.0.0.12 49171




Then I've edit: /etc/proftpd.conf
then change to: PassivePorts 49152 49171
and also add to this file:
MasqueradeAddress 123.45.67.89 # using an IP address
... and with this I little stop here. I try 3 methods but im not sure here.
Which address I should add here?
I try my internet local IP , also this 10.0.0.12, and also try this ftp.vmi50rr.myserver1.net or vmi50rr.myserver1.net

by end:
incomming / outgoing added port in firewall 49152:49171
restart firewall done
restart proftpd done

 

[Richard G]

I try my internet local IP , also this 10.0.0.12,

No, you have to make a difference here. A internet local ip does not exists. It's either an internet ip (so WAN) or a local ip (LAN).
Your 10.0.0.12 is your local ip so your LAN ip.
You have to fill in your internet IP which you get from your provider, so your WAN ip at that MasqueradeAddress line.

You can't use the vmi50rr.myserver1.net or ftp.vmi50rr.myserver1.net because unless this is a masked domain, that can not be resolved from the internet so there is no A record for either.
If I do an nslookup on vmi50rr.myserver1.net then I don't get any result.

So you installed Directadmin on your 10.0.0.12. You might need to remove the 35000:35999 from your firewall.

If port 22 works like you did it, then in fact there is no reason why FTP shouldn't work. When you use the correct ip address in that Masquerade line.

To be sure, also create a port 20 incoming and outgoing via tcp.

If it still goes wrong, which error exactly does it say now? Or can anything be seen form the proftpd logfile?