We have a Java process which contains an embedded FTP server which I'd like to run on a RHEL5 machine. I don't want to run the process as root and I don't want clients to have to specify a port when making a connection. It seems like I should be able to configure vsftpd to listen on an alternative port (e.g. 20000) and then configure ipchains to forward all traffic on port 21 to 20000. I think specifically I need to:
- Configure vsftpd to listen on port 20000
- Configure
ip_conntrack_ftpto forward traffic from port 21 to 20000
So my initial question is does this seem like a reasonable approach?
To accomplish step 1 I've modified my vsftpd.conf to have the following line:
listen_port=20000
I can then restart vsftpd and verify it is listening on 20000 by doing the following:
> ftp tstweb1 20000
Connected to tstweb1.pulseenergy.com.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (tstweb1:cclark):
And I proceed to login without issue. Step 1 complete.
As for step 2, I don't see the module loaded:
> /sbin/lsmod | grep ftp
>
So I try to load it with the proper port forwarding information:
> /sbin/modprobe ip_conntrack_ftp ports=21,20000
And I verify it has loaded:
> /sbin/lsmod | grep ftp
ip_conntrack_ftp 41489 0
ip_conntrack 91109 3 ip_conntrack_ftp,iptable_nat,ip_nat
But I get a connection refused when I try to use it:
> ftp tstweb1
ftp: connect: Connection refused
I know FTP is a complex protocol with active and passive modes and communication on multiple ports but I was under the impression the ip_conntrack_ftp module would hide a lot of that for me. Do I need to write some specific iptables rules in addition?
I think what you are looking for is REDIRECT:
And you need to use passive-ftp.