On 14/04/16 22:34, good2go971 wrote:

> I have got a major issue when I use FTP service on a non-standard port.
>
> My FTP service is a proprietary solution but it doesn't matter. I just
> run it with a non-root user and make it listen on port higher than
> 1024.
>
> To accomplish this, I run iptables rules locally on my server to forward
> traffic
> to TCP 21 to 2121 for instance
> from TCP 2020 (active port set on my FTP server) to TCP 20
>
> This is a sample of iptables rules
>
> iptables -t nat -A PREROUTING -p tcp -d 192.168.0.5 -m tcp --dport 21
> -j DNAT --to 192.168.0.5:2121
> iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.5 -m tcp --sport
> 2020 -j SNAT --to 192.168.0.5:20
>
> The problem is when I use these rules, for an unknown reason, iptable
> randomly drops client's FTP passive connection (get disconnected from
> Filezila FTP client) while connection is still maintained on server
> side
>
> This cause troubles because when Filezila try to resume the connection,
> errors are experienced on server side which has ever a related
> connection in use.
>
> Once I disable these NAT rules and configure my FTP server to listen on
> TCP 21 port and use TCP 20 source port (require root permission), this
> issue disapears.
>
> More, regardless of iptable activation, FTPS transfers always works fine
> as if iptable was not able to inspect encrypted traffic.
>
> Have you ever came across this issue? Or has someone an idea about
> what's wrong?
>
> Thank you very much for your support


Perhaps it would help get a response if you could explain "My FTP
service is a proprietary solution". Are you using vsftpd as included
with SLES12 or some other (custom) FTP server?

HTH.
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------