FTP with TLS/SSL on Ubuntu with ProFTP behind NAT router

If you are using ProFTP with Ubuntu and you have set up TLS encryption, based on Falko’s tutorial found on HowtoForge you may encounter problems when connecting to a FTP server behind a router that does NAT.

The connection is established, the user and password are sent and are OK, but when it comes to Directory listing you may get messages like this :

 
Status:    Server sent passive reply with unroutable address. Using server address instead.
Command:    MLSD
Error:    GnuTLS error -53: Error in the push function.

This happens because when using FTP passive mode, the server needs to have extra port(s) forwarded to it.
Passive mode for FTP means that the client initiates both connections to the server (the command connection and the data connection).
Port 21 is used for commands and authentication and another port is used for the actual data transfer.
In the active mode, the server opens a connection to the client’s port, but being an outside initiated connection, usually the client’s firewall drops it.
So this is why active mode is not used.
You can read more info about active and passive connections here.

Now back to MLSD, the server doesn’t know that is behind a router, and it’s probably telling the client to connect to a port on it’s private IP.

To solve this, we need to tell ProFTP that it’s behind a router, so it can send the client the public IP address. Also ProFTP must have a known range of ports defined, ports that must be forwarded from the router.

In the following example I’ll use :

192.168.1.150 - private IP for the box that's running ProFTP
89.33.34.35 - public IP (external router IP)
52500 - 52510 - range of forwarded ports

1. Edit /etc/proftpd/proftpd.conf and modify the lines like that :

PassivePorts                  52500 52510
MasqueradeAddress               89.33.34.35

Restart ProFTPd after that.

/etc/init.d/proftpd restart

2. Forward 52500-52510 range (TCP) to 192.168.1.150 on your router.

Remember to replace the port range, private IP and public IP with your own data.
Check the log for ProFTP in case of problems : /var/log/proftpd/tls.log.

Update 07.03.2018 : When you are using Dynamic DNS you will need to create a script that restarts proftpd so it can pick-up the new dynamic IP. Otherwise it will respond to FTP clients with the old IP, when a transfer should start.

Tested on Ubuntu 10.04, running ProFTPD 1.3.2e Server, FireFTP 2.0 (Firefox), and FileZilla 3.5.2

2 comments

    • Douglas Giovani Oechsler on May 6, 2015 at 11:15 pm
    • Reply

    Hello,
    How are You?

    I have proftp in passive mode behind the Pfsense firewall. Everything are configured to work in passive mode. In
    Pfsense – Nat – rule to work with passive ports, ok. In filezilla I can connect normally with Public IP. But, if I need to connect with browser (firefox – chrome) it does not make connection with Public IP. I need fix this, because our net, is based in MPLS. The Pfsense has routes to other location that make part from our MPLS net. I need that others parts can access ftp by browser. For example: on firefox: ftp://200.x.x.x.

    Are there mode to fix this?

    I read many many blogs and foruns to have a solution.

    Sorry my English.

    Thanks attention

    Douglas

    1. I need more details. OS version, FTP server name, FTP server config, firewall config for FTP ports. In case you have Ubuntu and ProFTP you need to make sure that you have a range of forwarded ports on your firewall. The same ports must be defined in /etc/proftpd/proftpd.conf. See my example above.

Leave a Reply to Douglas Giovani Oechsler Cancel reply

Your email address will not be published.

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.