passive ftp - remove masqerade address option

  • Hello there,


    i have the following setup
    Server in DMZ. Firewall passes public ip, port 80 to the internal ip. (Also ftp and so on)


    If the imscp installer runs, it creates the proftpd config file.
    In this file is the option "MasqueradeAddress <Public IP>"


    if this option is set, i get a timeout on the ftp connection when "entering passive mode".
    The passive ports are also open to the server.


    If i remove this option and restart the proftp daemon it works like a charm.


    Currently, after every update, i comment this line and restart it.
    Is there a way to do that automatically or prevent the installer to set this option?

  • Server in DMZ. Firewall passes public ip, port 80 to the internal ip. (Also ftp and so on)

    You're connecting from where exactly? From your LAN of from the WAN? In other words, does the computer from which you connect is also in your LAN (behind the firewall) or outside (WAN)? We need more info about your setup. Your setup look like a i-MSCP server that is hosted at home, behind a router that acts also as firewall.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • There is no bug here.


    Your setup (AS I understood it): i-MSCP server inside LAN, behind a router in which i-MSCP server is configured as DMZ.


    Thus: People that connect to your FTP server from the WAN shouldn't have any problem. When they connect to your FTP server (passive mode), their FTP client send the PASV command to your FTP server and your FTP server responds with your public IP (router WAN IP). Without the MasqueradeAddress parameter, people would be unable to connect to your FTP server because the FTP server would responds with a private IP (LAN IP) that of course, is not reacheable from outside your LAN. That is the setup that we retained because naturally, i-MSCP is not intented for personal use. i-MSCP is for shared hosting management where customers connect from the WAN.


    To conclude: If you remove the MasqueradeAddress parameter, customers that are located outside your LAN will be unable to connect to your FTP server using passive mode.


    However, from the ProFTP doc: http://www.proftpd.org/docs/howto/NAT.html


    Question: How can I make proftpd use a different MasqueradeAddress based on the address of the connecting client?


    Answer: This question usually arises in the case where FTP clients connecting from inside the LAN see the sameMasqueradeAddress as external clients, which causes problems. That MasqueradeAddress may be necessary in order to allow external FTP clients to do passive data transfers. The internal clients do not need it. To handle this, create a <VirtualHost> section in your proftpd.conf to handle the LAN address of the FTP server, the address that the internal clients are contacting. In this <VirtualHost> section, make sure there is no MasqueradeAddress directive. This way, the external FTP clients "see" the configuration with the MasqueradeAddress they need, and the internal FTP clients "see" a different configuration, one with no MasqueradeAddress.


    ...


    [hr]


    About your question:

    If i remove this option and restart the proftp daemon it works like a charm.


    Currently, after every update, i comment this line and restart it.
    Is there a way to do that automatically or prevent the installer to set this option?

    The answer here is simple:

    • Configure ProFTPD as you want it (I really recommend you to follow advise from the ProFTPD documentation linked above).
    • Once you're sure that all is working as you want it, make a copy of the /etc/proftpd/proftpd.conf file.
    • Add an i-MSCP event listener which will simply load content of your own ProFTPd static configuration file in place of the one that is provided by i-MSCP.

    As an example (not tested), for step 2 & 3, you could do:


    Then, on i-MSCP update/reconfiguration, your static file should be used.


    You can download the listener file below.

    Files

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Thank you for your answer Nuxwin!


    I will try to configure the NAT / passive mode correctly.
    If this won't work i will use your listener File.


    Expect this thread as solved.


    Thank you :)


    btw: i didnt expected a bug, but a misconfiguration by myself

  • @Levitas


    Small question: What occurs when from a computer that is inside your LAN (behind your router), you type your WAN (public) IP in your browser?

    • You see your router configuration page?
    • You see a page of one site hosted by i-MSCP server?

    Answer to this question is important. Many routers apply a NAT Loopback constraint, meaning that you cannot use your WAN ip from inside your LAN.


    This is well explained here: https://help.screenconnect.com…ernal_IP_address_from_LAN


    Depending on you answer you must:


    If you see your router configuration page


    To connect to your FTP server from a FTP client (a computer) that is inside your LAN, you must use the FTP server LAN IP. Also, in the proftpd configuration file, you need to add the FTP server LAN IP in the virtualhost that is located at bottom. For instance, the following virtualhost:


    Code
    1. # VirtualHost for access from loopback (No IP masquerading)<VirtualHost 127.0.0.1 ::1>ServerName "stretch.bbox.nuxwin.com.local"</VirtualHost>

    should be


    Code
    1. # VirtualHost for access from loopback (No IP masquerading)
    2. <VirtualHost 127.0.0.1 ::1 <LAN_IP>>
    3. ServerName "stretch.bbox.nuxwin.com.local"
    4. </VirtualHost>

    where <LAN_IP> must be replaced by your i-MSCP server LAN IP.


    Once done, restart ProFTPd and try again to connect using the FTP server LAN IP.


    If you see a page of one site hosted by i-MSCP server


    In such a case, you should be able to connect using both WAN IP or LAN IP. However, in the case of the LAN IP, you must also add it to the virtualhost as shown above and restart ProFTPD.


    [hr]
    In i-MSCP version 1.4.0, the LAN IP will be automatically added to the ProFTPd virtualhost. What the virtualhost is doing exactly? It allows to not apply the MasqueradeAddress parameter for the listed IPs (when connecting to the FTP server using these IPs).

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206