ProFTPd server behind firewall returns internal IP address for WAN and LAN connections
I'm using ProFTPD on a Debian server behind another Debian firewall. I can connect to the ftp server from the outside. However, the virtual host that gets chosen is always 192.168.0.4 regardless of WAN or LAN connections. This causes an issue when entering PASV
mode when the ftp server responds with the internal IP address to WAN connections.
I know there is a MasqueradeAddress
directive for WAN connectoins but my WAN connections are connecting to my internal virtual host.
Since there is only 1 IP address on the FTP server, do I need to use the mod_ifsession
module as described here: http://www.proftpd.org/docs/howto/NAT.html?
In the original question, I asked if I have to use the mod_ifsession
module. So far, that is the only way I can get it to work. Maybe that's expected but I was hoping to use a <VirtualHost>
block to get it working.
Here is what I did:
<IfModule mod_ifsession.c>
<Class internal>
From 192.168.0.0/24
</Class>
<IfClass !internal>
MasqueradeAddress 1.2.3.4
</IfClass>
</IfModule>
Using that, incoming LAN connections get the internal IP (192.168.0.4
) and WAN connections get the external IP (1.2.3.4
). I don't know if it's ideal, but it does work.
Edit: I was also able to get it working using a different port, as suggested. You may or may not wish to run ftp on a non-standard port so maybe this method is not for you. If you forward port 21 on the firewall to the ftp server using, say, 2121 and listen on port 2121 in one of your <virtualHost>
blocks, you then know it's an external connection. Here is the block I used for that:
<VirtualHost 192.168.0.4>
ServerName "External"
Port 2121
MasqueradeAddress 1.2.3.4
</VirtualHost>
Note: If you do it this way, the "server config" (anything not in a <virtualHost>
or <Global>
block) directives will not be applied. You may have to repeat some directives or use a <Global>
block.