[ previous ] [ next ] [ threads ]
 From:  sylikc <sylikc at gmail dot com>
 To:  Zoban <zoban at web4all dot cz>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] NAT > FTP
 Date:  Fri, 15 Oct 2004 15:42:12 -0700

>   But I have problem with NAT to FTP from external to internal IP
>   segments.
>   I have two FTP server no.1 and no.2
>   I use NAT for FTP no.1 from port 21 to port 21 - active OK, pasive
>   vrong
>   When I use NAT for FTP no.2 from port 2121 to port 21 - active,
>   passive wrong
> [2] Connecting to Vortex
> [2] Connecting to 80.188.xx.xx:2121
> [2] 220 ProFTPD 1.2.10 Server (Starless FTP server) []
> [2] USER trus
> [2] 331 Password required for xxxx.
> [2] PASS (hidden)
> [2] 230-Welcome, archive user trus at 194 dot 213 dot xx dot xx, time: Fri Oct 15 20:21:17 2004
> [2]  this is Starless FTP server...
> [2] 230 User trus logged in.
> [2] SYST
> [2] 215 UNIX Type: L8
> [2] REST 1
> [2] 350 Restarting at 1. Send STORE or RETRIEVE to initiate transfer
> [2] REST 0
> [2] 350 Restarting at 0. Send STORE or RETRIEVE to initiate transfer
> [2] TYPE A
> [2] 200 Type set to A
> [2] PWD
> [2] 257 "/" is current directory.
> [2] Listening at IP: 194.213.xx.xx PORT: 3937 for data connecting
> [2] PORT 194,213,xx,xx,15,97
> [2] 200 PORT command successful
> [2] LIST -al
> [2] 425 Unable to build data connection: Connection refused
> [2] Vortex disconnected
> lease help me with this problem. THX
> I use m0n0Wall 1.2b1.

First of all, to understand why this is failing, you have to
understand how PASV FTP works.  But, just from the output above, it
even looks like your active conneciton isn't working.

For active connections, your client has to be directly connected to
the internet (no NAT on client side), and your m0n0 must forward both
port 2121 and 2120 to the FTP server.  Your client has to allow the
connection (make sure the client firewall doesn't block it, just like
XP SP2 default) from the FTP server back to the client (the active

On the other hand, for passive connections, depending on your FTP
software, you may be able to set a range of high number ports 1024+ on
the server software.  Those you have to forward to the FTP server as
well.  The client connects to those ports and they must map 1:1 to the
ports on the server.  This means, if your passive port range on the
FTP server is 3000-3010, your m0n0 MUST forward ports 3000-3010 to the
FTP server.  This setting is server dependent as it differs from
software to software.

Doing one FTP server through NAT is always a challenge, much less
trying to do more than one.  Give that a shot, and if you have more
problems, post your internal configuration along with server software
+ IP addresses of your internal servers and maybe the situation could
be clearer (it's quite abstract to me right now).