Hello,
After a few month I’m still stuck with issues on FTP even if previous issues have been partially solved.
Context, I have a third party application requiring to be able to send files into a ClearOS7 server for a specific user they use port 21.
At "/etc/proftpd.d/flex-21.conf" by default port 21 goes to "/var/flexshare/shares/" where they can’t write.
To fix this I have to edit this file change this for "/var/flexshare/shares/groupnameftp" and restart ftpd (service proftpd restart)
It work for a few months/weeks then it is overwritten.
How can I make it permanent ?
1/ Nick (hi ;-) ) mentioned prerouting but I need more specific instructions.
2/ Create a script that overwrite changes on system reboot... (how ?)
Thanks for any help about this,
Bernard
After a few month I’m still stuck with issues on FTP even if previous issues have been partially solved.
Context, I have a third party application requiring to be able to send files into a ClearOS7 server for a specific user they use port 21.
At "/etc/proftpd.d/flex-21.conf" by default port 21 goes to "/var/flexshare/shares/" where they can’t write.
To fix this I have to edit this file change this for "/var/flexshare/shares/groupnameftp" and restart ftpd (service proftpd restart)
It work for a few months/weeks then it is overwritten.
How can I make it permanent ?
1/ Nick (hi ;-) ) mentioned prerouting but I need more specific instructions.
2/ Create a script that overwrite changes on system reboot... (how ?)
Thanks for any help about this,
Bernard
In FTP Server
Share this post:
Accepted Answer
Your third party app is a bit selfish as it is effectively insisting on you running an FTP server exclusively for them. They should at least allow you so specify a landing folder that they switch to after login. Even my old, cheap Chinese security camera allows me to do that.
I have done a brief experiment on my LAN with the following rule:
Change the IP address to your WAN IP address. If you have a dynamic IP, use your external FQDN as the firewall will restart when your IP changes, re-reading the poweredbyclear.com FQDN.
If you third party is coming in from a single IP address or even multiple ones, the rule can be modified by adding "-s third_party_IP address" to the rule. Multiple source IP's can be specified, comma separated (I believe), and a subnet mask can also be specified for a block of IP's. If you do this then only that source IP's FTP will be redirected to the user's home. Everyone else can use flexshares as normal.
I have done a brief experiment on my LAN with the following rule:
iptables -I PREROUTING -t nat -p tcp --dport 21 -j DNAT --to-destination 172.17.2.1:2121Change the IP address to your WAN IP address. If you have a dynamic IP, use your external FQDN as the firewall will restart when your IP changes, re-reading the poweredbyclear.com FQDN.
If you third party is coming in from a single IP address or even multiple ones, the rule can be modified by adding "-s third_party_IP address" to the rule. Multiple source IP's can be specified, comma separated (I believe), and a subnet mask can also be specified for a block of IP's. If you do this then only that source IP's FTP will be redirected to the user's home. Everyone else can use flexshares as normal.
Responses (4)
-
Accepted Answer
Nick Howitt wrote:
Your third party app is a bit selfish as it is effectively insisting on you running an FTP server exclusively for them. They should at least allow you so specify a landing folder that they switch to after login. Even my old, cheap Chinese security camera allows me to do that.
I have done a brief experiment on my LAN with the following rule:
This redirects port 21 to 2121 (the user's home folder) and with works with WinSCP. You'd need to check if it works with other FTP clients such as your 3rd party's.iptables -I PREROUTING -t nat -p tcp --dport 21 -j DNAT --to-destination 172.17.2.1:2121
Change the IP address to your WAN IP address. If you have a dynamic IP, use your external FQDN as the firewall will restart when your IP changes, re-reading the poweredbyclear.com FQDN.
If you third party is coming in from a single IP address or even multiple ones, the rule can be modified by adding "-s third_party_IP address" to the rule. Multiple source IP's can be specified, comma separated (I believe), and a subnet mask can also be specified for a block of IP's. If you do this then only that source IP's FTP will be redirected to the user's home. Everyone else can use flexshares as normal.
Totally agree about the third party support... but that’s what it is.
I followed your suggestion and gave it a few days to run and so far no more troubles with that.
A bug thanks again Nick
Bernard -
Accepted Answer
Nick Howitt wrote:
Your third party app is a bit selfish as it is effectively insisting on you running an FTP server exclusively for them. They should at least allow you so specify a landing folder that they switch to after login. Even my old, cheap Chinese security camera allows me to do that.
I have done a brief experiment on my LAN with the following rule:
This redirects port 21 to 2121 (the user's home folder) and with works with WinSCP. You'd need to check if it works with other FTP clients such as your 3rd party's.iptables -I PREROUTING -t nat -p tcp --dport 21 -j DNAT --to-destination 172.17.2.1:2121
Change the IP address to your WAN IP address. If you have a dynamic IP, use your external FQDN as the firewall will restart when your IP changes, re-reading the poweredbyclear.com FQDN.
If you third party is coming in from a single IP address or even multiple ones, the rule can be modified by adding "-s third_party_IP address" to the rule. Multiple source IP's can be specified, comma separated (I believe), and a subnet mask can also be specified for a block of IP's. If you do this then only that source IP's FTP will be redirected to the user's home. Everyone else can use flexshares as normal.
Totally agree about the third party support... but that’s what it is.
I followed your suggestion and gave it a few days to run and so far no more troubles with that.
A bug thanks again Nick
Bernard -
Accepted Answer
Hi Nick thanks for always being here ;-)
Nick Howitt wrote:
Alternatively can your app ftp into port 2121 and go straight into a user's home folder?
You mean the third party app ?
No... 2 or 3 month I tried to have them changing the port but they are not interested to do any change for one person.
Every time flexshare is updated I understand.
Does that mean there is somewhere a template file used for this ?
Can’t I change the value in the template ? (yes a but hacky but this thing is killing me right now)
Bernard -
Accepted Answer
Every time you change a flexshare the file will get overwritten. You can set the immutable bit to stop the file being changed but that may just shoot you in the foot as it will block all changes to the file.
Alternatively can your app ftp into port 2121 and go straight into a user's home folder?
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »