3

I am trying to setup a FTP server using ProFTPD on Xubuntu 15.10. Users will connect to this server in two ways:

  • internally (using an internal IPv4 address)
  • externally (using domain name pointed to NATed IPv4 and global IPv6)

On top of that, I need to chroot all users to /share directory except one user group and to use different SSL (TLS) certificates for internal and external use.

I have actually set up the server to the phase where everyting is masqueraded to public IPv4 address. However, this block users to connect from internal address.

My original idea was to do it via virutal hosts, but I was not able to do it this way.

From Google I got nothing helpful on this topic. So, is there a good way to do this?

Diamond
  • 8,791
  • 3
  • 22
  • 37
Vilican
  • 149
  • 1
  • 19
  • How many network interfaces do you have? Is your firewall in the same server you have the FTP service? – Mauricio López Nov 10 '15 at 16:39
  • Just one - it is connected via LAN. And yes, there is a firewall. However, not the only one, the second is in the router (where is NAT). – Vilican Nov 10 '15 at 16:50

1 Answers1

1

VirtualHosts is the answer, but you must assign another IP address to the FTP server. Let's say that the NAT IP is 172.16.1.10 and you add 172.16.1.11. Then you use:

<VirtualHost 172.16.1.10>
...external config here...
</VirtualHost>

<VirtualHost 172.16.1.11>
...internal config here...
</VirtualHost>

Then configure you internal DNS to make internal users to resolve your FTP server to 172.16.1.11. If you want a tighter security, configure iptables to only allow connections to FTP from the router to 172.16.1.10 and from the internal IPs to 172.16.1.11.

Mauricio López
  • 944
  • 4
  • 9
  • Is there any way to do it just with one internal IPv4 address and 1 external (1st VHost if you come to external address 1.2.3.4 and 2nd VHost if you come to internal address 192.168.1.2)? You also missed I mentioned IPv6. – Vilican Nov 10 '15 at 17:56
  • It would be the same procedure for IPv4, IPv6, internal or external. The idea is that you serve different configurations depending on what IP address you receive the request. I used 2 internal IP addresses because I guessed that your router was making a DNAT and sending the requests from the Internet with its own address. – Mauricio López Nov 10 '15 at 18:07
  • And when I go through NAT (external address 1.2.3.4), what does the FTP server see? The external address or the address of the NAT (= router)? – Vilican Nov 10 '15 at 18:39
  • Usually the internal address of your router, unless configured otherwise (which is very rare). If you are in doubt, run this on your FTP server: sudo tcpdump -i eth0 -vvn tcp port ftp (assuming that your network interface is eth0). You'll see the whole conversation between the hosts. – Mauricio López Nov 10 '15 at 18:46
  • I see that it comes from address of my router. Is there a way to send user to specific virtual host based on the address of the connecting user? – Vilican Nov 10 '15 at 20:25
  • The only way I see you can do that is by setting up the router to send the traffic to the virtual host IP you want if it comes from some internet IP. I warn you that this is NOT SECURE, anyone might forge the external IP address and will have access to the internal FTP. – Mauricio López Nov 10 '15 at 20:30