running ftp service on non standard ports

arpadffy · April 19, 2011, 8:44am

Hello,

I am trying top run ftp services on non standard ports.
I wonder is there any limit in ROS? And what is the correct approach?

Example:
I want to run ftp service in the following ports
port 711 → to host 1
port 721 → to host 2
port 731 → to host 3
port 741 → to host 4
port 751 → to host 5

NAT rules are defined with

12   chain=dstnat action=dst-nat to-addresses=192.168.10.2 to-ports=21
     protocol=tcp in-interface=ether1-gateway dst-port=711
     connection-type=ftp

service-ports are:

> ip firewall service-port print
Flags: X - disabled, I - invalid
 #   NAME                                                                                                             PORTS
 0   ftp                                                                                                              21
 1   tftp                                                                                                             69
 2   irc                                                                                                              6667
 3   h323
 4   sip                                                                                                              5060
                                                                                                                      5061
 5   pptp

I have a feeling that I need to define ports 711,721,731,741,751 as a service port or it is enough for correct NAT-ing that I define connection-type=ftp?

Earlier, using iptables the correct module load took care of it:

modprobe nf_conntrack_ftp ports=21,711,721,731,741,751

What would be the equivalent in ROS language?

Any help would be appreciated.

Thank you in advance.

Regards,
Z

Sob · April 21, 2011, 2:46am

You can add your custom ports to service ports under FTP and it should work. But only for non-encrypted connections. For encrypted ones (SSL) you have to manually forward fixed port range for each server and make them aware of that. And I don’t think you need connection-type=ftp in your rules.

arpadffy · April 21, 2011, 12:22pm

Hello,

do I need to set custom ports at all?

What I’m missing here that ROS should be aware that the dst-nat-ed connection is ftp type and to automatically handle it as an ftp specific connection whatever it means in NAT rules (like allow and forward related etc. use port 20 etc)

Maybe it is more complicated to set up in ROS… but if ftp works perfect on port 21 the same rules should be applied to some other non standard ports.

Does anybody know that rules?

Thank you.

Regards,
Z

Sob · April 21, 2011, 2:42pm

Yes, if you want the NAT helper to handle things automatically (recognize related data connections and rewrite addresses), because it only looks for FTP protocol on specified ports. Not needed with manual setup (static port ranges for data connections).

Your problem is “connection-type=ftp”. It matches related connections, not the main one.

Try this:

/ip firewall service-port> set ftp ports=21,711,721,731,741,751
/ip firewall nat chain=dstnat action=dst-nat to-addresses=192.168.10.2 to-ports=21 protocol=tcp in-interface=ether1-gateway dst-port=711
...

arpadffy · April 21, 2011, 8:43pm

Thank you very much.
It helps, indeed.

I just wonder is there any special reason why port has limit 8?

[admin@MikroTik] /ip firewall service-port> set ftp ports=21,701,711,721,731,741,751,761
value of ports should have no more than 8 elements

Is there any work-a-round if I would need more than 8?
In fact, I do need 16 to be honest

Thank you.

Regards,
Z

Sob · April 21, 2011, 9:25pm

I have no idea about the limit, if it’s simply because inspecting traffic on many ports means more work and is therefore not good for performance (so kind of “8 ports must be enough for everyone” :), or if it’s something else.

There’s always possibility to stop relying on NAT helper and doing it the manual way. So for server one you’d forward port 701 for control connection and e.g. 10000-10099(*1) for data connections. For server two it would be 711 for control connection and 10100-10199 for data ones. And so on. Then you’d have to configure backend servers to be aware of that, so they would return correct address (your public one) and ports from their assigned ranges to clients. All modern FTP servers can do this.

Advantages:

router does not have to inspect contents of FTP packets and do any address rewriting
it works with SSL

Disadvantages:

additional configuration on servers, but it’s one-time only
whole data port range is always forwarded, you can’t do any filtering based on ‘related’ match

(*1) - The number of needed ports depends mainly on server load, e.g. small home server can happily work with less than ten, large server may need thousands.