Dynamically monitor FTP connections and change IP.

simonfishley · July 14, 2008, 8:44am

I want to know if FTP connections can be dynamically monitored and then dynamically replace the IP address specification for packets containing the PASV response. I want to do this because I have an FTP server on my local LAN and none of my users can establish PASSIVE FTP connections.

I see in the Filter Rules there is an option to specify FTP as the connection type but if I enable this the FTP traffic does not reach the internal FTP server. The Router OS manual for V3.0 is not finished yet so I have no idea how this FTP connection type option actually works.

Can anyone help?

Thanks
Simon

Chupaka · July 14, 2008, 9:00am

did you enable ‘ftp’ under ip-firewall-service ports?

simonfishley · July 14, 2008, 9:18am

Hi

It is enabled.

My rules look like this:

Filter:
17 chain=customer action=accept in-interface=ether3 dst-port=21 protocol=tcp
connection-type=ftp
NAT:
13 ;;; FTP Forward to HSTB-SME
chain=dstnat action=dst-nat to-addresses=192.168.201.10 to-ports=21
in-interface=ether3 dst-address=196.212.XXX.XXX dst-port=21 protocol=tcp
connection-type=ftp

If i disable the connection-type specification it allows me to connect but cannot establish the passive connection. The above connection says the following:

[root@spike ~]# ftp 196.212.XXX.XXX
Connected to 196.212.XXX.XXX.
421 Service not available, remote server has closed connection
ftp> quit

Any other ideas?
Thanks

Chupaka · July 14, 2008, 9:20am

you do not need dst-nat rule - Service Port do it for you

simonfishley · July 14, 2008, 9:25am

How does the traffic get to the FTP server on the local LAN then? Remembering that I am running a separate ftp server, not a server on the MT firewall.

mrz · July 14, 2008, 9:40am

Filter:
17 chain=customer action=accept in-interface=ether3 dst-port=21 protocol=tcp
connection-type=ftp

You need to accept related and established connections

simonfishley · July 14, 2008, 9:54am

Ok! I disabled the connection-type=ftp. Accept related and established connections and it is now working.

Thank you for your assistance.

Heres a virtual beer

danchile · September 24, 2009, 8:36am

Simon ,

Can u help me with the rule for passive ftp im not able to get it on function

Thanks on advanced

I have an ftp on a DMZ and nat ports 20 -21 active ftp works ok but passive not

Chupaka · September 24, 2009, 9:51am

try to enable ftp nat helper (Firewall->Services) and add ‘accept related connections’ rule to firewall filter

magnavox · December 7, 2009, 12:53am

Hi SImon,

can you post your definitive sule set?