Answer the question
In order to leave comments, you need to log in
Z
Z
Zohei2017-12-03 23:07:34
Zohei, 2017-12-03 23:07:34
What blocks FTP behind NAT through OpenVpn?
Good afternoon.
I have the following connection scheme:
1. openvpn server (VDS freebsd) ip 10.8.0.1
2. openvpn client 1 (windows XP)
3. openvpn client 2 (ubuntu linux) 10.8.0.2
I need to go via FTP from client 1 (XP) to the client 2 (ubuntu).
From FTP server to client 2 works in both passive and active modes. 
.
.
But client 1 fails to execute the LIST command to get a list of client 2 directories:
Статус: Соединяюсь с 10.8.0.2:21...
Статус: Соединение установлено, ожидание приглашения...
Ответ: 220 Welcome to Raspberry Pi.
Команда: USER pi
Ответ: 331 Please specify the password.
Команда: PASS ******
Ответ: 230 Login successful.
Статус: Сервер не поддерживает символы не ASCII.
Статус: Соединение установлено
Статус: Получение списка каталогов...
Команда: CWD /home/pi/rpi
Ответ: 250 Directory successfully changed.
Команда: PWD
Ответ: 257 "/home/pi/rpi" is the current directory
Команда: TYPE I
Ответ: 200 Switching to Binary mode.
Команда: PASV
Ответ: 227 Entering Passive Mode (10,8,0,2,235,68).
Команда: LIST
Ответ: 150 Here comes the directory listing.
Ошибка: Превышено время ожидания соединения
Ошибка: Не удалось получить список каталоговopenvpn server conf
port 1194
proto tcp
dev tun
askpass /usr/local/etc/openvpn/pass
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key
dh /usr/local/etc/openvpn/keys/dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /usr/local/etc/openvpn/ccd
client-config-dir ccd
route 10.8.0.0 255.255.255.0
push "dhcp-option DNS 10.8.0.1"
client-to-client
keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 10
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 0
port 1194
proto tcp
dev tun
askpass /usr/local/etc/openvpn/pass
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key
dh /usr/local/etc/openvpn/keys/dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /usr/local/etc/openvpn/ccd
client-config-dir ccd
route 10.8.0.0 255.255.255.0
push "dhcp-option DNS 10.8.0.1"
client-to-client
keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 10
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 0
openvpn client conf
client
dev tun
proto tcp
remote x.x.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca keys\\ca.crt
cert keys\\client_win.crt
key keys\\client_win.key
tls-auth keys\\ta.key 1
cipher AES-256-CBC
verb 3
mute 20
auth-user-pass keys\\pass.conf
;auth-retry nointeract
auth-nocache
client
dev tun
proto tcp
remote x.x.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca keys\\ca.crt
cert keys\\client_win.crt
key keys\\client_win.key
tls-auth keys\\ta.key 1
cipher AES-256-CBC
verb 3
mute 20
auth-user-pass keys\\pass.conf
;auth-retry nointeract
auth-nocache
Sinful, I confess I haven’t mastered iptables yet, thoughtlessly copied configs from the network, tried different ones, forwarded ports:
iptables
# general rules for forwarding traffic between external interface tap0 and internal interface eth0
iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE
iptables -A FORWARD -i tap0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tap0 -j ACCEPT
# NAT for active/passive FTP. 192.168.178.21 would be your internal ftp server
iptables -t nat -A PREROUTING -p tcp --dport 20 -j DNAT --to 192.168.178.21:20
iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to 192.168.178.21:21
iptables -t nat -A PREROUTING -p tcp --dport 1024:65535 -j DNAT --to 192.168.178.21:1024-65535
iptables -A FORWARD -s 192.168.178.21 -p tcp --sport 20 -j ACCEPT
iptables -A FORWARD -s 192.168.178.21 -p tcp --sport 21 -j ACCEPT
iptables -A FORWARD -s 192.168.178.21 -p tcp --sport 1024:65535 -j ACCEPT
# allowing active/passive FTP
iptables -A OUTPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
# should return 1
cat /proc/sys/net/ipv4/ip_forward
# otherwise
sysctl -w net.ipv4.ip_forward=1
modprobe ip_nat_ftp
lsmod | grep ip_nat_ftp
lsmod | grep ip_conntrack_ftp
# if no result then load them until next reboot, google for making it permanent depending on your OS
modprobe ip_nat_ftp
lsmod | grep ip_nat_ftp
lsmod | grep ip_conntrack_ftp
# if no result then load them until next reboot, google for making it permanent depending on your OS
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# general rules for forwarding traffic between external interface tap0 and internal interface eth0
iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE
iptables -A FORWARD -i tap0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tap0 -j ACCEPT
# NAT for active/passive FTP. 192.168.178.21 would be your internal ftp server
iptables -t nat -A PREROUTING -p tcp --dport 20 -j DNAT --to 192.168.178.21:20
iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to 192.168.178.21:21
iptables -t nat -A PREROUTING -p tcp --dport 1024:65535 -j DNAT --to 192.168.178.21:1024-65535
iptables -A FORWARD -s 192.168.178.21 -p tcp --sport 20 -j ACCEPT
iptables -A FORWARD -s 192.168.178.21 -p tcp --sport 21 -j ACCEPT
iptables -A FORWARD -s 192.168.178.21 -p tcp --sport 1024:65535 -j ACCEPT
# allowing active/passive FTP
iptables -A OUTPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
# should return 1
cat /proc/sys/net/ipv4/ip_forward
# otherwise
sysctl -w net.ipv4.ip_forward=1
modprobe ip_nat_ftp
lsmod | grep ip_nat_ftp
lsmod | grep ip_conntrack_ftp
# if no result then load them until next reboot, google for making it permanent depending on your OS
modprobe ip_nat_ftp
lsmod | grep ip_nat_ftp
lsmod | grep ip_conntrack_ftp
# if no result then load them until next reboot, google for making it permanent depending on your OS
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
Give up nerves) help out)
Similar questions
R
D
D
A
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question