![Cheile Gradistei [Mobile upload 2007/12/20 15:40:54]](/images/upload/1/1048.jpg)
![Salina Praid [Mobile upload 2007/09/22 04:23:46]](/images/upload/1/1047.jpg)
![Transfagarasan [Mobile upload 2007/07/23 06:14:13]](/images/upload/1/1031.jpg)
![Balea Lac 2 [Mobile upload 2007/07/23 05:16:33]](/images/upload/1/1030.jpg)
![Voineasa [Mobile upload 2007/07/21 12:42:12]](/images/upload/1/1029.jpg)
![Omg [Mobile upload 2007/07/20 10:18:23]](/images/upload/1/1028.jpg)
![Krka National Park [Mobile upload 2007/06/15 11:02:18]](/images/upload/1/1022.jpg)
![Fia Gt3 [Mobile upload 2007/06/01 10:48:18]](/images/upload/1/1021.jpg)
![In Drum Spre Bulgaria [Mobile upload 2007/06/01 10:47:26]](/images/upload/1/1020.jpg)
pure-ftpd on openWRT and passive mode
Posted on 25/10/2006
In the tutorial below I will show how to install pure-ftpd to work behind a NAT box in passive mode.
I use this server on my Asus WL-500gP router at home. This tutorial can also be used to install this server on another machine behind the main router.
Below is my /etc/init.d/S70pure-ftpd
#!/bin/sh
# -Z --customerproof
# -Y 1
# -Y 0 (default) disables SSL/TLS security mechanisms.
# -Y 1 Accept both normal sessions and SSL/TLS ones.
# -Y 2 refuses connections that aren't using SSL/TLS security mechanisms, including
# -w
# Enable support for the FXP protocol, for non-anonymous users only.
# -B
# Start the standalone server in background (daemonize).
# -A
# Chroot() everyone, but root.
# -c 3
# -c clients Allow a maximum of clients to be connected
# -C 2
# -C max connection per ip
# -E
# Only allow authenticated login. Anonymous users are prohibited.
# -I 1
# -I timeout The timeout is in minutes, and defaults to 15.
# -j
# If the home directory of an user doesn't exist, automatically create it.
# -O stats:/opt/var/log/pure-ftpd/pure-ftpd.log
# Record all file transfers into a specific log file
# -O clf:/var/log/pureftpd.log
# -O stats:/var/log/pureftpd.log
# -O w3c:/var/log/pureftpd.log
# -p 65100:65150
# first:last Use only ports in the range first to last inclusive for passive-mode downloads
# -P 209.85.129.147
# Force the specified IP address in reply to a PASV/EPSV/SPSV command
# -T 12:32
# T upload bandwidth:download bandwidth Enable process priority lowering and bandwidth throttling for *ALL* users
# -l unix
# -l authentication:file
# -S 10.0.0.1,21
# -S [{ip address|hostname}] [,{port|service name}]This option is only effective when the server is launched as a standalone server. Connections are accepted on the specified IP and port.
BIN=/opt/usr/sbin/pure-ftpd
OPTIONS="-Z -Y 1 -w -B -A -c 3 -C 2 -E -I 1 -j -O stats:/opt/var/log/pure-ftpd/pure-ftpd.log -p 65100:65150 -P 209.85.129.147 -T 12:32 -l unix -S 10.0.0.1,21"
case $1 in
start)
$BIN $OPTIONS
;;
stop)
killall pure-ftpd
;;
restart)
killall pure-ftpd
sleep 1
$BIN $OPTIONS
;;
*)
echo "usage: $0 (start|stop|restart)"
exit 1
esac
exit $?
Here are my iptables rules for pure-ftpd to work in both active an passive mode behind NAT.
On the example below, 10.0.0.1 is the router. So, if you have the FTP server on another internal computer you need to use forwarding_rule instead of input_rule.
I will also change the default 21 port to 30021, for security reasons. This is done from iptables only for the WAN. Inside the network, port 21 will be used.
Below are the rules for iptables
#!/bin/sh
$LANIP=10.0.0.1
# redirect incoming FTP control connections from port 30021 to 21
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 30021 -j DNAT --to $LANIP:21
iptables -t filter -A input_rule -i $WAN -p tcp --dport 21 -d $LANIP -j ACCEPT
# accept return traffic on active FTP data connections
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 20 -j DNAT --to $LANIP:20
iptables -t filter -A input_rule -i $WAN -p tcp --dport 20 -d $LANIP -j ACCEPT
# accept FTP data passive connections
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 65100:65150 -j DNAT --to $LANIP
iptables -t filter -A input_rule -i $WAN -p tcp --dport 65100:65150 -d $LANIP -j ACCEPT
I use this server on my Asus WL-500gP router at home. This tutorial can also be used to install this server on another machine behind the main router.
Below is my /etc/init.d/S70pure-ftpd
#!/bin/sh
# -Z --customerproof
# -Y 1
# -Y 0 (default) disables SSL/TLS security mechanisms.
# -Y 1 Accept both normal sessions and SSL/TLS ones.
# -Y 2 refuses connections that aren't using SSL/TLS security mechanisms, including
# -w
# Enable support for the FXP protocol, for non-anonymous users only.
# -B
# Start the standalone server in background (daemonize).
# -A
# Chroot() everyone, but root.
# -c 3
# -c clients Allow a maximum of clients to be connected
# -C 2
# -C max connection per ip
# -E
# Only allow authenticated login. Anonymous users are prohibited.
# -I 1
# -I timeout The timeout is in minutes, and defaults to 15.
# -j
# If the home directory of an user doesn't exist, automatically create it.
# -O stats:/opt/var/log/pure-ftpd/pure-ftpd.log
# Record all file transfers into a specific log file
# -O clf:/var/log/pureftpd.log
# -O stats:/var/log/pureftpd.log
# -O w3c:/var/log/pureftpd.log
# -p 65100:65150
# first:last Use only ports in the range first to last inclusive for passive-mode downloads
# -P 209.85.129.147
# Force the specified IP address in reply to a PASV/EPSV/SPSV command
# -T 12:32
# T upload bandwidth:download bandwidth Enable process priority lowering and bandwidth throttling for *ALL* users
# -l unix
# -l authentication:file
# -S 10.0.0.1,21
# -S [{ip address|hostname}] [,{port|service name}]This option is only effective when the server is launched as a standalone server. Connections are accepted on the specified IP and port.
BIN=/opt/usr/sbin/pure-ftpd
OPTIONS="-Z -Y 1 -w -B -A -c 3 -C 2 -E -I 1 -j -O stats:/opt/var/log/pure-ftpd/pure-ftpd.log -p 65100:65150 -P 209.85.129.147 -T 12:32 -l unix -S 10.0.0.1,21"
case $1 in
start)
$BIN $OPTIONS
;;
stop)
killall pure-ftpd
;;
restart)
killall pure-ftpd
sleep 1
$BIN $OPTIONS
;;
*)
echo "usage: $0 (start|stop|restart)"
exit 1
esac
exit $?
Here are my iptables rules for pure-ftpd to work in both active an passive mode behind NAT.
On the example below, 10.0.0.1 is the router. So, if you have the FTP server on another internal computer you need to use forwarding_rule instead of input_rule.
I will also change the default 21 port to 30021, for security reasons. This is done from iptables only for the WAN. Inside the network, port 21 will be used.
Below are the rules for iptables
#!/bin/sh
$LANIP=10.0.0.1
# redirect incoming FTP control connections from port 30021 to 21
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 30021 -j DNAT --to $LANIP:21
iptables -t filter -A input_rule -i $WAN -p tcp --dport 21 -d $LANIP -j ACCEPT
# accept return traffic on active FTP data connections
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 20 -j DNAT --to $LANIP:20
iptables -t filter -A input_rule -i $WAN -p tcp --dport 20 -d $LANIP -j ACCEPT
# accept FTP data passive connections
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 65100:65150 -j DNAT --to $LANIP
iptables -t filter -A input_rule -i $WAN -p tcp --dport 65100:65150 -d $LANIP -j ACCEPT
Bookmark page
