FTP Upload to NAT OpenVZ Container fails

[Lateral]

Hello everyone,

I just set up a new installation of Proxmox and created an OpenVZ Container using Minimal Debian 7.0 and installed proftpd. However when uploading files to the FTP-Server the upload fails after some random time. Sometimes it working, sometimes it fails after half a second, sometimes after x seconds. Filezilla throws the following error:

Error: Could not write to transfer socket: ECONNRESET - Connection reset by peer

I don't know what the source of this could be. I was able to reproduce the same error on another machine. I also tried a different FTP setup with pureftpd which had the exact same behaviour. I never noticed until now, because I never had to give out FTP access, I was always using SFTP which is working just fine.

If I install proftpd on the host, it's working fine, just not on the containers. I've tried this on a CentOS 6 and Debian 7 container by the way. No difference. So I believe it should be some network-setup-issue with Proxmox on the host. However I didn't modify anything except for adding the interfaces in /etc/network/interfaces.

Theres one public IP for each container, so I route all traffic to the private venet address (10.0.0.112) using the following interface/NAT-setup:

auto vmbr0:0
iface vmbr0:0 inet static
        address MY_IP
        netmask 255.255.255.255
        broadcast MY_IP
        post-up iptables -t nat -A POSTROUTING -s 10.0.0.112 -o vmbr0 -j SNAT --to MY_IP
        post-down iptables -t nat -D POSTROUTING -s 10.0.0.112 -o vmbr0 -j SNAT --to MY_IP
        post-up iptables -t nat -A PREROUTING -i vmbr0 -d MY_IP -j DNAT --to 10.0.0.112
        post-down iptables -t nat -D PREROUTING -i vmbr0 -d MY_IP -j DNAT --to 10.0.0.112

IP-Forwarding is enabled on the host, also.

cat /proc/sys/net/ipv4/ip_forward1

Could someone please help me to track the issue down? I have no idea how to solve this.
Thank you!

Greetings
Felix

 

[Mr.Holmes]

Hello Felix

Theres one public IP for each container, so I route all traffic to the private venet address (10.0.0.112) using the following interface/NAT-setup:

As far as I understood each container has its own public IP - so you don´t need a NAT; assign this IP to venet0 of the container (you can keep 10.0.0.112 too) and that´s it!

The explaination for you error is probably is follows: ftp-protocol exchanges address and port values (don´t know details) also in the data fields which are not treated by iptable´s NAT. Physical NAT routers usually have especially built in mechanism for that.

Kind regards
Mr.Holmes

 

[Lateral]

Thanks Mr.Holmes, just realized this yesterday evening and simply assigned the public IP to venet0 and it's working as expected!

That sounds plausible, even though I don't know that much about network protocols.

However you can configure which IP should be sent in proftpd and it actually shows it when connecting, including the ports to use for data-connections when entering FTPs passive mode:

Command: PASV
Response: 227 Entering Passive Mode (A,B,C,D,147,131).

Having the IP "A.B.C.D" which I configured to be sent.

But that should be fine for now.
I just thought NAT would be nice to use if I'm running out of IPs so I could forward some ports to a different container.