AWS VPC私有子网后NAT实例的FTP访问

@JohnRotenstein 绝对正确，如果可以的话，你应该使用被动 FTP。但是如果像我一样，你被客户卡住，他们坚持要求你使用主动式FTP，因为他们想要你连接到的FTP站点自1990年以来一直在运行，现在更改它是完全不合理的，那么请继续阅读。

AWS的NAT服务器不支持处于私有子网中的机器使用主动式FTP进行连接。结束语。如果你问我，这是个漏洞，但如果你问AWS支持团队，他们会说这是一个不支持的功能。

我们最终想出的解决方案（并且有效）是：

• Add an Elastic Network Interface (ENI) in a public subnet on to your EC2 instance in the private subnet
  • So now your EC2 instance has 2 network adapters, 2 internal IPs, etc.
  • Let's call this new ENI your "public ENI"
• Attach a dedicated elastic IP to your new public ENI
  • Let's assume you get 54.54.54.54 and the new public ENI's internal IP address is 10.1.1.10

• Add a route in your operating system's networking configuration to only use the new public ENI

  • In windows, the command will look like this, assuming the evil active ftp server you're trying to connect to is at 8.1.1.1:

    route add 8.1.1.1 mask 255.255.255.254 10.1.1.1 metric 2
    

  • This adds a route for all traffic to the FTP server at 8.1.1.1 using subnet mask 255.255.255.254 (ie. this IP and only this IP) should go to the internet gateway 10.1.1.1 using ethernet adapter 2 (your second NIC)

• Fed up yet? Yeah, me too, but now comes the hard part. The OS doesn't know it's public IP address for the public EIN. So you need to teach your FTP client to send the PORT command with the public IP. For example if using CURL, use the --ftp-port command like so:

  curl -v --ftp-port 54.54.54.54 ftp://8.1.1.1 --user myusername:mypass
  

完成！现在您可以从几乎完全位于私有子网中的EC2机器连接到恶梦般的活动FTP站点。