FreeBSD 8.1
ipfw+kernel nat
Proftpd
Конфиг Proftpd:
Код: Выделить всё
# For more informations about Proftpd configuration
# look at : http://www.proftpd.org/
#
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "PROGRESS FTP"
ServerType standalone
DefaultServer on
#ScoreboardFile /var/run/proftpd/proftpd.scoreboard
# Port 21 is the standard FTP port.
Port 21
# Use IPv6 support by default.
UseIPv6 off
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30
CommandBufferSize 512
# Set the user and group under which the server will run.
User nobody
Group nogroup
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~
# Normally, we want files to be overwriteable.
AllowOverwrite on
# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
DenyAll
</Limit>
# A basic anonymous configuration, no upload directories. If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
#########################################################################
# #
# Uncomment lines with only one # to allow basic anonymous access #
# #
#########################################################################
<Anonymous ~ftp>
User anon_ftp
Group anon_ftp
### We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous anon_ftp
### Limit the maximum number of anonymous logins
MaxClients 10
### We want 'welcome.msg' displayed at login, and '.message' displayed
### in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayFirstChdir .message
### Limit WRITE everywhere in the anonymous chroot
# <Limit WRITE>
# DenyAll
# </Limit>
</Anonymous>
ServerIdent off
ServerIdent off
При попытке зайти на FTP снаружи (из интернета) вижу вот что:#!/usr/local/bin/bash
Progress_service=\
"redirect_port tcp 10.44.44.215:22 13579 \
redirect_port tcp 10.44.44.215:51413 51413 \
redirect_port tcp 10.44.44.215:21 21 \
redirect_port tcp 10.44.44.215:20 20 \
redirect_port tcp 10.44.44.215:9091 24680"
#ssh
#transmission incoming
#ftp COMMAND
#ftp DATA
#transmission web
add="ipfw add"
allow="ipfw add allow"
deny="ipfw add deny"
wan="rl0"
lan="rl1"
tun="ng0"
ks="keep-state"
cs="ipfw add check-state"
deny_host=`cat /var/ipfw/host.deny`
ipfw -f flush
#$allow all from any to any
##################Bad boys:########################
for i in $deny_host
do
$deny ip from $i to any
$deny ip from any to $i
done
###################################################
$allow ip from any to any via lo0
$allow ip from any to any via $lan
$deny ip from 127.0.0.0/8 to any
$deny ip from any to 127.0.0.0/8
#$deny ip from any to 192.168.0.0/16 in recv $wan
#$deny ip from 192.168.0.0/16 to any in recv $wan
$deny ip from any to 172.16.0.0/12 in recv $wan
$deny ip from 172.16.0.0/12 to any in recv $wan
#$deny ip from any to 10.0.0.0/8 in recv $wan
#$deny ip from 10.0.0.0/8 to any in recv $wan
$deny ip from any to 169.254.0.0/16 in recv $wan
$deny ip from 169.254.0.0/16 to any in recv $wan
$deny ip from any to 192.168.0.0/16 in recv $tun
$deny ip from 192.168.0.0/16 to any in recv $tun
$deny ip from any to 172.16.0.0/12 in recv $tun
$deny ip from 172.16.0.0/12 to any in recv $tun
$deny ip from any to 10.0.0.0/8 in recv $tun
$deny ip from 10.0.0.0/8 to any in recv $tun
$deny ip from any to 169.254.0.0/16 in recv $tun
$deny ip from 169.254.0.0/16 to any in recv $tun
ipfw nat 1 config log if $wan deny_in
ipfw nat 2 config log if $tun deny_in $Progress_service
$add nat 1 all from any to any via $wan
$add nat 2 all from any to any via $tun
Ещё пробрасывал 21 порт и диапазон 49152-65534. Тогда вижу такой вывод:ftp nazarovd.dlinkddns.com
Connected to nazarovd.dlinkddns.com (93.157.236.36).
220 10.44.44.215 FTP server ready
Name (nazarovd.dlinkddns.com:nazarovd): progress_ftp
331 Password required for progress_ftp
Password:
230 User progress_ftp logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode off.
ftp> dir
500 Illegal PORT command
ftp: bind: Адрес уже используется
ftp>
Код: Выделить всё
Connected to nazarovd.dlinkddns.com (93.157.236.36).
220 10.44.44.215 FTP server ready
Name (nazarovd.dlinkddns.com:nazarovd): progress_ftp
331 Password required for progress_ftp
Password:
230 User progress_ftp logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
227 Entering Passive Mode (10,44,44,215,153,20).