FTP ports
 

Hello,

I have set up a FTP server on my Linux machine (RH 7.3) But now I have a problem.

I have a router before entering my domain. So this is easy for me to change routing of the ports. Because my ISP is blocking every port from1 -> 1024 I needed to change the router port for the ISP on 2121 and then route it to 21 internally.

This is probably no problem. I'm able to connect internally and externally to my FTP server (ext. port 2121, int port 21). I have only a problem with coming from external. The FTP program is prompting for a password (so that means I'm connected) but then I cannot do a list.

My question is now: Do I need to configure something on my router, ... to make sure I'm able to do a list. Is that on a other port that this list is send.

Regards peter-Jan

Read the old threads in this forum about ftp problems.

The FTP protocol was designed in the 1970's before anyone used firewalls or NAT connection sharing.

By default, to transfer a diretory listing or a file the ftp server opens a connection back to the computer running the FTP client. This dosn't work when the client is firewalled or behind a connection sharing system. A few of the better hardware NAT routers such as zxyel will sniff ftp connections and automatically forward incoming data connections.

The alternative is to set the FTP client to use passive mode. In this case
the client opens another connection to get the listing/data. Passive mode to your server won't work because it will use a different port number (not port 21).

Forwarding port 20 sometimes allows ftp servers behind NAT to support passive mode. It depends on the exact behaviour of the ftp server.

In you case since your isp will block a connection to port 20 you will have to figure out how to get your ftp server to accept data connections on a high port number and forward that port as well.

This reminds me. Using a linux box as a connection sharing machine, an old ipchains based distro could let ftp clients use active mode with a module.
How can you make that work when doing NAT with iptables?
Slackware 8.1 in my case.

Edit: As Hw-tph says, the ftp data port is usually port 20.

tcp/22 is used by SSH, not FTP. The port for ftp-data (classic, non-PASV mode) is 20 while the FTP command channel is on 21.

Set a range of ports to be used for passive mode transfers in your FTP server configuration. If you would like to use a range of 100 ports between 34201 and 34300 with ProFTPd you would use the PassivePorts directive in the global config:
Every time a passive mode transfer - be it a directory listing (which is a data transfer, not a command) or a regular file transfer - is executed, one of the ports in that range will be randomly selected as the server-side port. You will have to forward these ports to the computer on which the FTP server runs in the router configuration. If you have a Linksys router you will probably find what you want in Advanced >> Port Forwarding >> View Port Range Forwarding in the web administration thingy.

If you don't set up the port range to be forwarded in the router you will suffer a timeout whenever you try to retrieve a directory listing or a file from the FTP server.

Håkan