FTP server (proftpd) behind LEDE firewall

Hello, I have an FTP server (proftpd) behind my LEDE router's firewall. The main use of this server is for anonymous users to occasionally download smallish files from "outside". These are unsophisticated users, and mostly use chrome/firefox with an ftp:// address.

The system used to work with LEDE r4357. Now I updated several times, and I'm running bleeding edge r6185. However, I noticed the server isn't reachable anymore from outside. Or, to be more precise, it is reachable in active mode only - but not in passive mode.

I have researched a bit, and it seems I need kmod_nf_conntrack_helper, which I believe always was and still built-in in my image - by the way, how to make sure it actually is included? lsmod doesn't list kernel modules as far as I could tell, but the conntrack_helper module is in the manifest file produced by make.

I haven't touched the firewall configuration (basically, forwarding port 21 to the appropriate LAN host). Has anything changed in the firewall workings? Can I do something to make my server reachable again?

Thanks for any help!

EDIT: From inside the LAN, any client connects and downloads succesfully - passive or active mode.

You need to open the ports for passive mode.
You need to check on the ftp server which ports are used in passive mode.

Hello gabrielflach, thanks for your answer.

Something doesn't check out, though. The server was visible with an older version of LEDE, and I haven't changed anything about the server configuration! The way I understand it, I thought the nat helper module has exactly the function of figuring out the ports negotiated in the initial FTP dialogue and opening them.

The FTP server (proftpd) is set to the default - min/max port = 0/0, which means full range (in the >1024 range, I suppose). If I got the proftpd documentation right, the ports are chosen randomly each time.

Try to set a range of ports to be used by passive mode.
I had a similar problem before, and i solved when i set a port range.

I happen to work on addressing this particular problem atm. Your problem is very likely caused by the deprecation of automatic conntrack helper assignment in recent Linux kernels, meaning that TCP traffic to port 21 is not handled by the nf_conntrack_ftp helper by default anymore.

OpenWrt/LEDE's firewall3 utility is not yet updated to deal with the new helper requirements so you need to introduce a custom rule in the meanwhile.

In /etc/firewall.user, add a new iptables rule to tie TCP/21 traffic to the FTP helper:
iptables -t raw -I PREROUTING -p tcp --dport 21 -j CT --helper ftp

That sounds like it - thank you, jow!

When I try to do that, I get an iptables error.

iptables v1.6.1: unknown option "--helper"
Try `iptables -h' or 'iptables --help' for more information.
   ! Failed with exit code 2

Am I missing some module perhaps?

As of today (r6664-e39847e) I still get that error from iptables. I say

iptables -t raw -I PREROUTING -p tcp --dport 21 -j CT --helper ftp

and I get

iptables v1.6.2: unknown option "--helper"
Try `iptables -h' or 'iptables --help' for more information.

Is that an issue with this version of iptables?

An update for other visitors.
The --helper option still doesn't work as of r6953, but I solved the problem anyway, sticking to r6664. How?

On the FTP server,

  • I forced a small range of ports for passive FTP. The range is in the "high" numbers (>=49152).
  • I disabled the "masquerade IP address as gateway", otherwise passive FTP wouldn't work from within the LAN. Your mileage may vary, as presence/effectiveness of these options depends on the specific server you use.

On the OpenWrt router,

  • I explicitly forwarded that range of ports to the FTP server, as well as the standard FTP port 21.

As a result, it seems I am able to do both active and passive transfers, both from within the LAN and from the WAN.

Tested with these clients: browser ftp://, windows commandline ftp, FileZilla (forced to passive in order to test), Android ES File Explorer integrated FTP client.

I hope this helps. If things change, I will update this thread.

@jow
How to add this iptables rule in /etc/config/firewall? so that it can be enabled and disabled as traffic rule from firewall web page.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.