[SATLUG] FTP behind router
sean at txid.com
Sun Aug 25 11:45:03 CDT 2002
Thanks for the detailed reply. Here's where I'm at now:
* Got SSH working, thanks, I just had to forward port 22 and it works
* I've got ports 21 and 20 forwarding to the linux box that's running
I have a web server running rh 7.2 that I use to test the FTP, so I open
ftp from the command line (from the internet server) and it asks for
username and password. That works fine, right up until I try to 'ls' or
'send' a file to the ftp server. At that point it says 'entering
passive mode' and eventually just times out.
Could I not have the proftpd set up properly? I have forwarded both
ports 20 and 21 as you suggested, but still having trouble with it.
Thanks for all the help
From: "Chuck" <Chuck at Tetlow.Net>
To: <satlug at satlug.org>
Subject: RE: [SATLUG] FTP server behind linksys router
Date: Sat, 24 Aug 2002 17:41:57 -0500
Reply-To: satlug at satlug.org
Actually, the 'port mode' (actually known as active mode) is the
standard. Passive mode is the alternate method. And I can explain why
one works while the other doesn't.
FTP is one of those odd-ball protocols. It uses two TCP ports, TCP20
and TCP21. TCP21 is the control port and it is the port that you
establish the first connection to. So, when the client connects - it
sends out a connection to the server at server port TCP21.
Then when you request a file in standard active mode, the server
establishes a connection BACK to your client on the data port TCP20.
This two-way connection establishment can be a real headache when
dealing with firewalls. For example, if a firewall is not intelligent
enough to know about inbound TCP20 connections -- it won't know how to
deal with one when it comes in from the outside and it just drops the
connection. But if a firewall knows what's going on (FTP module loaded
in Linux), it knows to send the connection inwards to the same inside
computer that has an outbound TCP21 connection to that Internet
Passive mode was developed to deal with unintelligent firewalls. When
you request a file in passive mode, YOUR client establishes the TCP20
data port connection outwards to the server. Now, a server has to be
configured to accept passive mode connections -- but most are these
days. With this method, all connections start on the inside and go
outwards which solves any problems with a firewall or proxy. Oh, yea --
this is the normal method for most browsers -- passive mode.
Now, in your case -- you are trying to send a FTP connection from the
Internet inwards to an internal machine. You set the Linksys (or
similar low-end NAT router) to support inbound FTP connections. And
when a TCP21 control port connection comes in from the Internet, it
sends it inwards to your FTP server. But apparently, it isn't
intelligent enough to recognize an inbound TCP20 data port connection.
So, passive mode fails. But when you are in active mode, the server on
the inside originates the TCP20 data port connection outwards and it
works just fine.
To correct this problem, you will have to set the Linksys to forward
inbound TCP20 data port connection connections inwards to the FTP
server. Or, if you can't configure it to do that -- just use only
active mode (which may be a problem with browsers doing FTP).
As for the ssh, just make sure the Linksys is forwarding in TCP22
connections to the ssh server. As long as you have that port forwarded
inwards, it should work.
Need anything else or just didn't understand that long explanation --
feel free to shoot back.
More information about the Satlug