Page 1 of 1

Re: FTP Blocking

Posted: Tue May 11, 2010 11:43 am
by nadym67
Hi,

I have ftp running on my LAN. I need to give access to mobile users via internet. I have assigned IP to WAN interface & did dsnt nat. Whiled testing when I try to connect in log is shows.

FDROP forward: input: WAN output: LAN proto TCP (SYN)

Regards,

Nadeem

Re: FTP Blocking

Posted: Tue May 11, 2010 1:52 pm
by sergejs
Please, post /ip firewall nat rule used for the FTP server redirection.

Re: FTP Blocking

Posted: Tue May 11, 2010 2:14 pm
by nadym67
chain=srcnat action=src-nat to-addresses=142.24.210.58 to-ports=0-65535 out-interface=WAN
src-address=192.168.0.0/24

Re: FTP Blocking

Posted: Tue May 11, 2010 2:17 pm
by nadym67
Sorry that was wrong

chain=dstnat action=dst-nat to-addresses=192.168.0.6 to-ports=20-21 in-interface=WAN dst-address=142.24.210.68
dst-port=20-21 protocol=tcp

Re: FTP Blocking

Posted: Tue May 11, 2010 4:09 pm
by Chupaka
when I try to connect in log is shows.

FDROP forward: input: WAN output: LAN proto TCP (SYN)
so, disable that firewall filter rule that drops the packet

Re: FTP Blocking

Posted: Tue May 11, 2010 4:35 pm
by nadym67
I disabled all the drop rules still not working

Re: FTP Blocking

Posted: Wed May 12, 2010 8:54 am
by sergejs
Do you have active or passive FTP?

Re: FTP Blocking

Posted: Wed May 12, 2010 1:29 pm
by nadym67
I have an active ftp running on linux os.

Re: FTP Blocking

Posted: Wed May 12, 2010 2:08 pm
by sergejs
Then NAT should work. Try to forward other ports SSH/Telnet to your server (to make sure that public IP address works, which is given by the ISP).

Re: FTP Blocking

Posted: Wed May 12, 2010 2:21 pm
by nadym67
I m able to ping this IP after natting.

Re: FTP Blocking

Posted: Wed May 12, 2010 2:27 pm
by ditonet
How did you test FTP server?
Active FTP will not function when client-side is firewalled or client is behind NAT device which is not smart enough to alter IP addresses in FTP packets.
Passive FTP is better choice for mobile user, especially when they connect from different places.

Regards, Grzegorz.

Re: FTP Blocking

Posted: Wed May 12, 2010 3:09 pm
by nadym67
My server is working fine, Mikrotik is dropping, FDROP forward:in WAN out :lan TCP (SYN)

Re: FTP Blocking

Posted: Wed May 12, 2010 3:24 pm
by ditonet
I'm sure that your FTP server is working fine, I wrote about FTP clients.
I don't know what FDROP in your log is, but the rest forward:in WAN out :lan TCP (SYN) say that packet is forwarded through router.
Look at this: http://wiki.mikrotik.com/wiki/Manual:Packet_Flow
Post your full firewall RouterOS logs.

Regards, Grzegorz.

Re: FTP Blocking

Posted: Wed May 12, 2010 3:25 pm
by sergejs
How this is joined together?

#1
Wed May 12, 2010 1:09 pm
My server is working fine, Mikrotik is dropping, FDROP forward:in WAN out :lan TCP (SYN)
#2
Posted: Tue May 11, 2010 2:35 pm
I disabled all the drop rules still not working

Re: FTP Blocking

Posted: Wed May 12, 2010 3:53 pm
by nadym67
#1
Is my error message form my Mikrotik log

#2

Reply to chupaka as he asked to disable all drop rules in filewall.

Re: FTP Blocking

Posted: Wed May 12, 2010 3:57 pm
by sergejs
Firstly you told that disabled drop rules, but still you see them in your log?

Re: FTP Blocking

Posted: Wed May 12, 2010 4:20 pm
by nadym67
Yes thats correct even I m confused.

Re: FTP Blocking

Posted: Wed May 12, 2010 4:57 pm
by ditonet
Set two logging rules, one for 'input' on WAN side, second for 'forward'.
You will clearly see what is dropped and what is forwarded.

Regards, Grzegorz.

Re: FTP Blocking

Posted: Wed May 12, 2010 6:02 pm
by Chupaka
do you have ftp nat helper enabled (under IP - Firewall - Service Ports)?

Re: FTP Blocking

Posted: Wed May 12, 2010 8:23 pm
by nadym67
I setted 2 rules for log its same FDROP forward in WAN out lan src-mac <MAC ADDRESS> , proto TCP (SYN), <Public IP of Source PC> and <ftp Lan IP>:21 len 48

Re: FTP Blocking

Posted: Wed May 12, 2010 11:57 pm
by ditonet
Post your firewall/mangle rules and log results.

Regards, Grzegorz.

Re: FTP Blocking

Posted: Thu May 13, 2010 1:07 pm
by nadym67
No rules in mangle log I have mentioned in previous post

Re: FTP Blocking

Posted: Thu May 13, 2010 1:17 pm
by ditonet
OK, so let us know how you log firewall activity?

Regards, Grzegorz.

Re: FTP Blocking

Posted: Thu May 13, 2010 1:27 pm
by nadym67
I have 4 log rules inut, forward, tcp services & udp services

Re: FTP Blocking

Posted: Thu May 13, 2010 2:10 pm
by ditonet
No rules in mangle log I have mentioned in previous post
If not in 'mangle', so where they are? In 'filter rules'?

Regards, Grzegorz.

Re: FTP Blocking

Posted: Thu May 13, 2010 2:13 pm
by nadym67
Yes in filter rules src nat and routing

Re: FTP Blocking

Posted: Thu May 13, 2010 10:55 pm
by ditonet
Connect your linux box/ftp server directly to WAN and make test.
Install Wireshark to get as much details as possible.

Regards, Grzegorz.

Re: FTP Blocking

Posted: Tue May 18, 2010 5:25 pm
by nadym67
I could not connect my ftp directly to Mikrotik as it has other applications runnning.

Can u tell me step by step how to configure Mikrotik to service ftp server throught it, to compare it with my config if any mistake by me after I m human bieng

Re: FTP Blocking

Posted: Tue May 18, 2010 10:39 pm
by ditonet
I suggested that you should connect your linux box directly to WAN, without MikroTik or any other NAT-ing device.
This will clearly show what is wrongly configured: your FTP server or MikroTik.
According to your earlier post:
My server is working fine, Mikrotik is dropping, FDROP forward:in WAN out :lan TCP (SYN)
In my opinion MikroTik forwards packets correctly.
I asked you about your firewall/mangle/nat rules and logs but it looks that is 'Top Secret' data :D
And last but not least - Active FTP is not good choice.

Regards, Grzegorz.

Re: FTP Blocking

Posted: Wed May 19, 2010 8:16 am
by sergejs
nadym67, I agree with Grzegorz.

We are not able to help you without full output from /ip firewall export from the problematic router.

Re: FTP Blocking

Posted: Wed May 19, 2010 9:59 am
by nadym67
Kndly find attached file form firewall export.

Re: FTP Blocking

Posted: Wed May 19, 2010 1:12 pm
by nadym67
We have 2 ISP's I did a port scan on natted IP using packet trap its showing port 20 21 not responding. (ISP not terminated on Mikrotik) I started ftp service on Mikrotik WAN address it shows port open.

Re: FTP Blocking

Posted: Wed May 19, 2010 3:05 pm
by martini
Oooo ))) how many rules on you router ??
Move dst-nat rule on top of the firewall nat in winbox, and disable drop forward rule and Jump rule, than if all works - enable one by one rule and test )

Re: FTP Blocking

Posted: Wed May 19, 2010 4:12 pm
by nadym67
Still not working what I observed that all dst nat its not accepting even at port 80

Re: FTP Blocking

Posted: Wed May 19, 2010 4:51 pm
by fewi
Nearly everything in that NAT rule set you posted is disabled. Once you take out the disabled lines, only the below is left:
/ ip firewall nat 
add chain=dstnat action=dst-nat to-addresses=192.168.0.6 to-ports=20-21 \
    dst-address=124.247.210.186 dst-port=20-21 protocol=tcp \
    comment="esoftconnect" disabled=no 
add chain=srcnat action=src-nat to-addresses=124.247.210.185 to-ports=0-65535 \
    out-interface=voip src-address=192.168.0.0/24 comment="LAN via MCI via IP \
    Address 202.80.63.82. Do not change. Used for VPN Traffic" disabled=no 
That's correct (though the comment on the srcnat chain is wildly inaccurate), but you're filtering the port. You are accepting ports 20/21 in the input chain (though the comment is incorrect, you're not just accepting from trusted sources, you're accepting from everywhere):
add chain=input action=accept dst-port=20-21 protocol=tcp comment="ftp access \
    to router from trusted sources" disabled=no 
But the traffic won't be in the input chain. dstnat happens before input/output/forward, and because the destination IP address after dstnat is no longer local the packets will be in the forward chain. The only reference to ports 20/21 in the forward chain are in the chain 'tcp-services':
add chain=tcp-services action=accept src-port=0-65535 dst-port=20-21 \
    protocol=tcp comment="ftp" disabled=no 
and while they are accepted there (though it doesn't make sense to check for a source port if you're going to permit every possible source port, that's just eating resources for a check that will always succeed) you're only jumping to 'tcp-services' with a condition of 'in-interface=lan', which isn't true for the Internet accessing the FTP server.
add chain=forward action=jump jump-target=tcp-services in-interface=lan \
    protocol=tcp comment="allow all outgoing from LAN tcp services" \
    disabled=no 
Since you do have a default drop in the forward chain FTP traffic to the FTP server will be dropped since it isn't accepted first:
add chain=forward action=log log-prefix="FDROP" comment="log drop everything \
    else" disabled=no 
add chain=forward action=drop comment="drop everything else" disabled=yes 
And that log message before the drop matches what you've been posting.

Caveat on all of the above: that's one hell of a ruleset, most of it isn't even in use as it's marked disabled and it could be summarized quite a lot (why do you have 20 rules for NAT exemption for VPN when you could just build address lists and refer to them in on quick rule?) - at a quick glance it's rather confusing and I don't want to spend an hour going through it, so I'm not 100% sure that the above is correct. You should really look at simplifying your configuration.

Re: FTP Blocking

Posted: Wed May 19, 2010 5:06 pm
by nadym67
Thanks for your valuable reply. This router was configured by the ex engineer I just started working on I did not removed any config bcoz they used to use it as backup router for cisco to connect VPN. I m going safe to avoid major issue. As per your advice I'll remove all disabled rules but after taking backup.

Re: FTP Blocking

Posted: Wed May 19, 2010 5:09 pm
by fewi
To make this work quickly find the log rule with a log-prefix of "FDROP" and add the following rule just above it:
/ip firewall filter
add chain=forward action=accept protocol=tcp dst-ports=20-21
By the looks of it you're already permitting FTP traffic initiated from everywhere but the WAN so the rule won't do anything more than permit traffic to the FTP server.

Good luck cleaning up the configuration.

Re: FTP Blocking

Posted: Thu May 20, 2010 11:27 pm
by ditonet
Hi,

I agree with fewi's every word, problem is located probably here:
add chain=forward action=log log-prefix="FDROP" comment="log drop everything \
    else" disabled=no 
add chain=forward action=drop comment="drop everything else" disabled=yes 
add chain=input action=accept src-port=20-21 protocol=tcp comment="ftp" \
    disabled=yes 
And I'm really impressed by your firewall ruleset :D , but seriously you should simplify and summarize your rules.

Regards, Grzegorz.

Re: FTP Blocking

Posted: Fri May 21, 2010 10:48 am
by sergejs
These rules are only logging. Drop rules are disabled, but accept for 20-21 TCP on the top for any-port should do the trick.

Re: FTP Blocking

Posted: Fri May 21, 2010 12:22 pm
by ditonet
OK, I tried to analyze these rules and found:
add chain=forward action=accept src-address=192.168.0.6 src-port=21 \
    dst-port=0-65535 protocol=tcp comment="allow from FTP server" disabled=yes 
and
add chain=feedsRSS action=accept out-interface=lan src-address=124.247.210.186 \
    dst-address=192.168.0.6 src-port=21 dst-port=21 protocol=tcp \
    comment="Esoftconnect" disabled=no 
In my opinion it should be 20-21 not only 21, because connection from/to FTP data port (20) is not allowed.
This is Active FTP so data port is important.

Hope this helps.

Regards, Grzegorz.