Так как прокинуть порт для FTP?

[uscr_]

Здравствуйте.
FreeBSD 8.1
ipfw+kernel nat
Proftpd

Конфиг Proftpd:

Код: Выделить всё

# For more informations about Proftpd configuration
# look at : http://www.proftpd.org/
#
# This is a basic ProFTPD configuration file (rename it to 
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName                      "PROGRESS FTP"
ServerType                      standalone
DefaultServer                   on
#ScoreboardFile         /var/run/proftpd/proftpd.scoreboard

# Port 21 is the standard FTP port.
Port                            21

# Use IPv6 support by default.
UseIPv6                         off

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances                    30

CommandBufferSize               512

# Set the user and group under which the server will run.
User                            nobody
Group                           nogroup

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~

# Normally, we want files to be overwriteable.
AllowOverwrite          on

# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
  DenyAll
</Limit>

# A basic anonymous configuration, no upload directories.  If you do not
# want anonymous users, simply delete this entire <Anonymous> section.

#########################################################################
#                                                                       #
# Uncomment lines with only one # to allow basic anonymous access       #
#                                                                       #
#########################################################################

<Anonymous ~ftp>
   User                         anon_ftp
   Group                        anon_ftp

  ### We want clients to be able to login with "anonymous" as well as "ftp"
  UserAlias                     anonymous anon_ftp

  ### Limit the maximum number of anonymous logins
  MaxClients                    10

  ### We want 'welcome.msg' displayed at login, and '.message' displayed
  ### in each newly chdired directory.
  # DisplayLogin                        welcome.msg
  # DisplayFirstChdir           .message

  ### Limit WRITE everywhere in the anonymous chroot
  # <Limit WRITE>
  #   DenyAll
  # </Limit>
</Anonymous>

ServerIdent off
ServerIdent off

Конфиг ipfw:

#!/usr/local/bin/bash

Progress_service=\
"redirect_port tcp 10.44.44.215:22 13579 \
redirect_port tcp 10.44.44.215:51413 51413 \
redirect_port tcp 10.44.44.215:21 21 \
redirect_port tcp 10.44.44.215:20 20 \
redirect_port tcp 10.44.44.215:9091 24680"
#ssh
#transmission incoming
#ftp COMMAND
#ftp DATA
#transmission web

add="ipfw add"
allow="ipfw add allow"
deny="ipfw add deny"
wan="rl0"
lan="rl1"
tun="ng0"

ks="keep-state"
cs="ipfw add check-state"

deny_host=`cat /var/ipfw/host.deny`

ipfw -f flush
#$allow all from any to any

##################Bad boys:########################
for i in $deny_host
do
$deny ip from $i to any
$deny ip from any to $i
done
###################################################

$allow ip from any to any via lo0
$allow ip from any to any via $lan

$deny ip from 127.0.0.0/8 to any
$deny ip from any to 127.0.0.0/8

#$deny ip from any to 192.168.0.0/16 in recv $wan
#$deny ip from 192.168.0.0/16 to any in recv $wan
$deny ip from any to 172.16.0.0/12 in recv $wan
$deny ip from 172.16.0.0/12 to any in recv $wan
#$deny ip from any to 10.0.0.0/8 in recv $wan
#$deny ip from 10.0.0.0/8 to any in recv $wan
$deny ip from any to 169.254.0.0/16 in recv $wan
$deny ip from 169.254.0.0/16 to any in recv $wan

$deny ip from any to 192.168.0.0/16 in recv $tun
$deny ip from 192.168.0.0/16 to any in recv $tun
$deny ip from any to 172.16.0.0/12 in recv $tun
$deny ip from 172.16.0.0/12 to any in recv $tun
$deny ip from any to 10.0.0.0/8 in recv $tun
$deny ip from 10.0.0.0/8 to any in recv $tun
$deny ip from any to 169.254.0.0/16 in recv $tun
$deny ip from 169.254.0.0/16 to any in recv $tun

ipfw nat 1 config log if $wan deny_in
ipfw nat 2 config log if $tun deny_in $Progress_service
$add nat 1 all from any to any via $wan
$add nat 2 all from any to any via $tun

При попытке зайти на FTP снаружи (из интернета) вижу вот что:

ftp nazarovd.dlinkddns.com
Connected to nazarovd.dlinkddns.com (93.157.236.36).
220 10.44.44.215 FTP server ready
Name (nazarovd.dlinkddns.com:nazarovd): progress_ftp
331 Password required for progress_ftp
Password:
230 User progress_ftp logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode off.
ftp> dir
500 Illegal PORT command
ftp: bind: Адрес уже используется
ftp>

Ещё пробрасывал 21 порт и диапазон 49152-65534. Тогда вижу такой вывод:

Код: Выделить всё

Connected to nazarovd.dlinkddns.com (93.157.236.36).
220 10.44.44.215 FTP server ready
Name (nazarovd.dlinkddns.com:nazarovd): progress_ftp
331 Password required for progress_ftp
Password:
230 User progress_ftp logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
227 Entering Passive Mode (10,44,44,215,153,20).

Как быть?

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[FreeBSP]

quote и code это разные вещи

покажи

Код: Выделить всё

ipfw  show
ipfw nat show

и попробуй в однй строчку

Код: Выделить всё

Progress_service="redirect_port tcp 10.44.44.215:22 13579 redirect_port tcp 10.44.44.215:51413 51413 redirect_port tcp 10.44.44.215:21 21 redirect_port tcp 10.44.44.215:20 20 redirect_port tcp 10.44.44.215:9091 24680"

[UsCr]

quote и code это разные вещи

В code нельзя выделять цветом. Второй раз - промах, да.

покажи

Код: Выделить всё

ipfw  show
ipfw nat show

и попробуй в однй строчку

Код: Выделить всё

Progress_service="redirect_port tcp 10.44.44.215:22 13579 redirect_port tcp 10.44.44.215:51413 51413 redirect_port tcp 10.44.44.215:21 21 redirect_port tcp 10.44.44.215:20 20 redirect_port tcp 10.44.44.215:9091 24680"

ipfw show

Код: Выделить всё

00100        0          0 deny ip from 10.44.44.64 to any
00200        0          0 deny ip from any to 10.44.44.64
00300        1         64 deny ip from 10.44.44.59 to any
00400        0          0 deny ip from any to 10.44.44.59
00500        0          0 deny ip from 10.44.46.206 to any
00600        0          0 deny ip from any to 10.44.46.206
00700    33538    3100484 allow ip from any to any via lo0
00800    38792   24426399 allow ip from any to any via rl1
00900        0          0 deny ip from 127.0.0.0/8 to any
01000        0          0 deny ip from any to 127.0.0.0/8
01100        0          0 deny ip from any to 172.16.0.0/12 in recv rl0
01200        0          0 deny ip from 172.16.0.0/12 to any in recv rl0
01300        0          0 deny ip from any to 169.254.0.0/16 in recv rl0
01400        0          0 deny ip from 169.254.0.0/16 to any in recv rl0
01500        0          0 deny ip from any to 192.168.0.0/16 in recv ng0
01600        0          0 deny ip from 192.168.0.0/16 to any in recv ng0
01700        0          0 deny ip from any to 172.16.0.0/12 in recv ng0
01800       18       1008 deny ip from 172.16.0.0/12 to any in recv ng0
01900        0          0 deny ip from any to 10.0.0.0/8 in recv ng0
02000        0          0 deny ip from 10.0.0.0/8 to any in recv ng0
02100        0          0 deny ip from any to 169.254.0.0/16 in recv ng0
02200        0          0 deny ip from 169.254.0.0/16 to any in recv ng0
02300 12145772 7671987014 nat 1 ip from any to any via rl0
02400 11225795 7207756906 nat 2 ip from any to any via ng0
65535       17       1055 deny ip from any to any

ipfw nat show

Код: Выделить всё

nat 2: icmp=0, udp=41, tcp=1063, sctp=0, pptp=0, proto=0, frag_id=0 frag_ptr=0 / tot=1104
nat 1: icmp=0, udp=0, tcp=3, sctp=0, pptp=0, proto=1, frag_id=467 frag_ptr=0 / tot=471

[terminus]

Код: Выделить всё

kldload alias_ftp.ko

[FreeBSP]

Код: Выделить всё

ipfw nat show config

какой то странный у вас конфиг файера...
после того как все redirect_port собрались в одну строчку не полегчало?

[schizoid]

Код: Выделить всё

        # portforward for ftp
        ${fwcmd} nat 700 config if ${sif} redirect_port tcp 192.168.0.101:20 20
        ${fwcmd} add nat 700 tcp from any to ${sip} 20 via ${sif}
        ${fwcmd} add allow tcp from any to 192.168.0.101 20 via ${sif}
        ${fwcmd} nat 750 config if ${sif} redirect_port tcp 192.168.0.101:21 21
        ${fwcmd} add nat 750 tcp from any to ${sip} 21 via ${sif}
        ${fwcmd} add allow tcp from any to 192.168.0.101 21 via ${sif}
        ${fwcmd} nat 760 config if ${sif} redirect_port tcp 192.168.0.101:45500-45510 45500-45510
        ${fwcmd} add nat 760 tcp from any to ${sip} 45500-45510 via ${sif}
        ${fwcmd} add allow log tcp from any to 192.168.0.101 45500-45510 via ${sif}

на 192.168.0.101 - proftp с такими настройками:

Код: Выделить всё

PassivePorts 45500 45510

работает как в активном, так и в пассивном режиме клиента
${sif} - внешний интерфейс