sy_geoffrey
asked on
How to forward ftp ports in untangle and external aliasing?
Hi,
I had already set up the untangle as gateway but my ftp server will not work if it will pass thru the gateway. And also I cannot access the port 80 of my 2nd public IP. The scenario I had is in below.
I had 2 public IPs, 203.x.x.146, 203.x.x.147
My external IPs are: 203.x.x.146/29 sets as primary IP and 203.x.x.147 as alias
My Primary internal IP is 192.x.x.1 and NAT Policies 192.x.x.1/32 sets to auto and 0.0.0.0 sets to auto
My Web Server is 192.x.x.6 using port 80
My FTP Server is 192.x.x.6 using port 21
My Mail Server is 192.x.x.2 using port 80
My ports forwarding are:
203.x.x.146 -> 192.x.x.6 port 80
- Destined Local
- Destination port - 80
- Source interface - external
- Protocol - TCP
- New Destination - 192.x.x.6
- New Port - empty
203.x.x.146 -> 192.x.x.6 port 21
- Destined Local
- Destination port - 21
- Source interface - external
- Protocol - TCP
- New Destination - 192.x.x.6
- New Port - empty
203.x.x.147 -> 192.x.x.2 port 80
- Destination Address - 203.x.x.147
- Destination port - 80
- Source interface - external
- Protocol - TCP
- New Destination - 192.x.x.2
- New Port - empty
My Problems Are:
1. Cannot access the FTP ( note: that I can access ftp locally )
2. Cannot access Mail Server 203.x.x.147
How to solve this?
Please advise.
Thank you very much
I had already set up the untangle as gateway but my ftp server will not work if it will pass thru the gateway. And also I cannot access the port 80 of my 2nd public IP. The scenario I had is in below.
I had 2 public IPs, 203.x.x.146, 203.x.x.147
My external IPs are: 203.x.x.146/29 sets as primary IP and 203.x.x.147 as alias
My Primary internal IP is 192.x.x.1 and NAT Policies 192.x.x.1/32 sets to auto and 0.0.0.0 sets to auto
My Web Server is 192.x.x.6 using port 80
My FTP Server is 192.x.x.6 using port 21
My Mail Server is 192.x.x.2 using port 80
My ports forwarding are:
203.x.x.146 -> 192.x.x.6 port 80
- Destined Local
- Destination port - 80
- Source interface - external
- Protocol - TCP
- New Destination - 192.x.x.6
- New Port - empty
203.x.x.146 -> 192.x.x.6 port 21
- Destined Local
- Destination port - 21
- Source interface - external
- Protocol - TCP
- New Destination - 192.x.x.6
- New Port - empty
203.x.x.147 -> 192.x.x.2 port 80
- Destination Address - 203.x.x.147
- Destination port - 80
- Source interface - external
- Protocol - TCP
- New Destination - 192.x.x.2
- New Port - empty
My Problems Are:
1. Cannot access the FTP ( note: that I can access ftp locally )
2. Cannot access Mail Server 203.x.x.147
How to solve this?
Please advise.
Thank you very much
Just as note about FTP:
There are two types of data transfers using FTP, active and passive.
When using active the ftp server initiates a connection using port 20 as the SOURCE port to the ftp client using a high port as the destination. The client tells the server what port it will listen on using on the PORT command.
When using passive the ftp client initiates a connection using a high port to the server using a high port as the destination. The server tells the client what high port it is going to be listening on via the response to the clients PASV command.
So once you get the ftp port 21 fixed, you may have a nightmare attempting to get the data transfers done. Most firewalls are "ftp" aware and monitor the traffic on port 21 for PASV and PORT commands and then dynamically setup necessary NAT's and allows to allow the data connections through.
There are two types of data transfers using FTP, active and passive.
When using active the ftp server initiates a connection using port 20 as the SOURCE port to the ftp client using a high port as the destination. The client tells the server what port it will listen on using on the PORT command.
When using passive the ftp client initiates a connection using a high port to the server using a high port as the destination. The server tells the client what high port it is going to be listening on via the response to the clients PASV command.
So once you get the ftp port 21 fixed, you may have a nightmare attempting to get the data transfers done. Most firewalls are "ftp" aware and monitor the traffic on port 21 for PASV and PORT commands and then dynamically setup necessary NAT's and allows to allow the data connections through.
ASKER
Hi,
But my FTP server is working fine until we decide to use the untangle as our gateway. Is their any configurations needed on my ftp server or the configuration is only on the untangle server.
But my FTP server is working fine until we decide to use the untangle as our gateway. Is their any configurations needed on my ftp server or the configuration is only on the untangle server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
First of all you need to confirm that your external router packets destined cor 203.x.x.147 are routed to your untangle external interface. Once you've confirmed that you need to check if you've done the untangle IP aliasing done properley.
Then check if you're allowing traffic from outside to 203.x.x.147 port 80.
It is a different story for FTP though. Once a connection to your FTP port (port 21) ftp opens a second connection to the client's FTP port 20. Check it port20 traffic is allowed as well. Also the kernel must know that you're using FTP and the iptables module ftp_conntrack loaded. I am not sure how to check if the module is loaded over untangle. Pelase consult with your manual.
Cheers,
K.