Community discussions

MUM Europe 2020
 
arpadffy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Mon Jan 17, 2011 1:52 am
Location: Stockholm, Sweden
Contact:

running ftp service on non standard ports

Tue Apr 19, 2011 11:44 am

Hello,

I am trying top run ftp services on non standard ports.
I wonder is there any limit in ROS? And what is the correct approach?

Example:
I want to run ftp service in the following ports
port 711 -> to host 1
port 721 -> to host 2
port 731 -> to host 3
port 741 -> to host 4
port 751 -> to host 5

NAT rules are defined with
12   chain=dstnat action=dst-nat to-addresses=192.168.10.2 to-ports=21
     protocol=tcp in-interface=ether1-gateway dst-port=711
     connection-type=ftp
service-ports are:
> ip firewall service-port print
Flags: X - disabled, I - invalid
 #   NAME                                                                                                             PORTS
 0   ftp                                                                                                              21
 1   tftp                                                                                                             69
 2   irc                                                                                                              6667
 3   h323
 4   sip                                                                                                              5060
                                                                                                                      5061
 5   pptp
I have a feeling that I need to define ports 711,721,731,741,751 as a service port or it is enough for correct NAT-ing that I define connection-type=ftp?

Earlier, using iptables the correct module load took care of it:
modprobe nf_conntrack_ftp ports=21,711,721,731,741,751
What would be the equivalent in ROS language?

Any help would be appreciated.

Thank you in advance.

Regards,
Z
 
Sob
Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: running ftp service on non standard ports

Thu Apr 21, 2011 5:46 am

You can add your custom ports to service ports under FTP and it should work. But only for non-encrypted connections. For encrypted ones (SSL) you have to manually forward fixed port range for each server and make them aware of that. And I don't think you need connection-type=ftp in your rules.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
arpadffy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Mon Jan 17, 2011 1:52 am
Location: Stockholm, Sweden
Contact:

Re: running ftp service on non standard ports

Thu Apr 21, 2011 3:22 pm

Hello,

do I need to set custom ports at all?

What I'm missing here that ROS should be aware that the dst-nat-ed connection is ftp type and to automatically handle it as an ftp specific connection whatever it means in NAT rules (like allow and forward related etc. use port 20 etc)

Maybe it is more complicated to set up in ROS... but if ftp works perfect on port 21 the same rules should be applied to some other non standard ports.

Does anybody know that rules?

Thank you.

Regards,
Z
 
Sob
Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: running ftp service on non standard ports

Thu Apr 21, 2011 5:42 pm

do I need to set custom ports at all?
Yes, if you want the NAT helper to handle things automatically (recognize related data connections and rewrite addresses), because it only looks for FTP protocol on specified ports. Not needed with manual setup (static port ranges for data connections).

Your problem is "connection-type=ftp". It matches related connections, not the main one.

Try this:
/ip firewall service-port> set ftp ports=21,711,721,731,741,751
/ip firewall nat chain=dstnat action=dst-nat to-addresses=192.168.10.2 to-ports=21 protocol=tcp in-interface=ether1-gateway dst-port=711
...
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
arpadffy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Mon Jan 17, 2011 1:52 am
Location: Stockholm, Sweden
Contact:

Re: running ftp service on non standard ports

Thu Apr 21, 2011 11:43 pm

Thank you very much.
It helps, indeed.

I just wonder is there any special reason why port has limit 8?
[admin@MikroTik] /ip firewall service-port> set ftp ports=21,701,711,721,731,741,751,761
value of ports should have no more than 8 elements
Is there any work-a-round if I would need more than 8?
In fact, I do need 16 to be honest :(

Thank you.

Regards,
Z
 
Sob
Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: running ftp service on non standard ports

Fri Apr 22, 2011 12:25 am

I have no idea about the limit, if it's simply because inspecting traffic on many ports means more work and is therefore not good for performance (so kind of "8 ports must be enough for everyone" :), or if it's something else.

There's always possibility to stop relying on NAT helper and doing it the manual way. So for server one you'd forward port 701 for control connection and e.g. 10000-10099(*1) for data connections. For server two it would be 711 for control connection and 10100-10199 for data ones. And so on. Then you'd have to configure backend servers to be aware of that, so they would return correct address (your public one) and ports from their assigned ranges to clients. All modern FTP servers can do this.

Advantages:
- router does not have to inspect contents of FTP packets and do any address rewriting
- it works with SSL

Disadvantages:
- additional configuration on servers, but it's one-time only
- whole data port range is always forwarded, you can't do any filtering based on 'related' match

(*1) - The number of needed ports depends mainly on server load, e.g. small home server can happily work with less than ten, large server may need thousands.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: No registered users and 90 guests