- ProFTPD-NAT-mini-HOWTO - (v0.3, March 2001). Information on placing ProFTPD behind a NAT. --------------------------------------------------------------------- By Tobias Ekbom (tobias@vallcom.com) HOWTO content: 1. Basic NAT info 2. Configuring ProFTPD behind a NAT 3. Configuring a Linux NAT (example) 4. NAT security 5. Thanks to --------------------------------------------------------------------- 1. Basic NAT info A NAT is a system that acts like a proxy, but on "packet level". When a computer on your local network connects to a computer on the Internet, the NAT replaces the "from" information of packets with it's own address, making your local network invisible to the Internet. For server systems, NAT can improve security and enable multiple servers to be accessed as a single IP. This is done by allowing certain ports forwarded "inwards" to the local network. However, the part of the FTP protocol known as "Passive" mode is not by default compatible with NAT solutions. But NAT functionality is possible with ProFTPD from versions 1.2rc2, and this document shows you how. For details on NAT configuration, read the Linux IP-masq HOWTO (http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html) or search for information concerning your OS of choice. --------------------------------------------------------------------- 2. Configuring ProFTPD behind a NAT First configure your ProFTPD install so that it works right from inside the NAT. There are example configuration files included with the source. Then add the directive "MasqueradeAddress" in your etc/proftpd.conf file to define the public name or IP address of the NAT: MasqueradeAddress ftp.mydomain.com -or- MasqueradeAddress 123.45.67.89 Now your ProFTPD will hide it's local address and instead use the public address of your NAT. However, one BIG problem exists. The passive FTP connections will use ports from 1024 and up, which means that you must forward all ports 1024-65535 from the NAT to the FTP server! And you have to allow lots of (possibly) dangerous ports in your firewalling rules! Have no fear, simply use the PassivePorts directive in your etc/proftpd.conf to control what ports ProFTPD uses: PassivePorts 60000 65535 # These ports should be safe... Now start the FTP daemon and you should see something like 123.45.67.89 - Masquerading as '123.45.67.89' (123.45.67.89) --------------------------------------------------------------------- 3. Configuring a Linux NAT (example) This example is for Linux kernel version 2.2.x with ipchains and ipmasqadm. The examples below assume that your FTP server has local address 192.168.1.2. First we need to enable NAT for our FTP server. As root user: echo "1">/proc/sys/net/ipv4/ip_forward ipchains -P forward DENY ipchains -I forward -s 192.168.1.2 -j MASQ Now we load the autofw kernel module and forward ports 20 and 21 to the FTP server: insmod ip_masq_autofw ipmasqadm autofw -A -r tcp 20 21 -h 192.168.1.2 Then we forward ports for Passive FTP. In our etc/proftpd.conf file we restriced passive ports to 60000-65535, so that's what we'll use here: ipmasqadm autofw -A -r tcp 60000 65535 -h 192.168.1.2 Now you can try to login to your FTP server from a computer on the Internet! --------------------------------------------------------------------- 4. NAT Security Setting up a ProFTPD install that allows PASV mode connections requires that a range of ports is forwarded from the NAT to the local network. This could be a security hazard, but since you can specify what port range to use, you are still able to setup relatively tight firewalling rules. To be sure that you have no other processes listening on the ports you have specified for Passive FTP, use a port scanner such as nmap: nmap -sT -I -p 60000-65535 localhost If the result says something like All 5536 scanned ports on localhost (127.0.0.1) are: closed then you should be safe. --------------------------------------------------------------------- 5. Thanks To Of course, thanks to TJ Saunders (tj@digisle.net) who implemented both the PASV port restrictions and IPMASQ (NAT) support. Cheers! =) ---------------------------------------------------------------------