Hello all.
I'm having a problem with ftp from a custom system at a client that uses ftp to get som files from suppliers.
The new firewall is obviously stopping it as it wasn't a problem before.
I've tried ftp-connections with firefox, msie, smartftp and lftp and they all work, the only place I can replicate the problem is with the ftp-client in dos (or windows cmd).
I've allso tried purging all rules and setting policy to accept on all chains, still the same problem...
Anyone have any good ideas?

If you do: Thanx a lot, I'm stuck...

Sturla

ps. ip_conntrack_ftp is loaded, allthough I don't think it should matter when defaulting to ACCEPT

Ftp.exe is not a real ftp client, it only does a subset of the ftp protocol : It uses Active Mode , while IE uses PASSIVE mode.
It can't switch to passive mode.

If your side is well configured (Firewall+NAT+Ftp_conntrack) then Passive will work.

If they HAVE to use active ftp then they need a clean configuration like you. I guess they are using NAT and/or a FW and that they are not Active-FTP-aware.

What is happening could be:
-> They send you their internal IP adress (192.168.... for example.. security leak) and obviously you can't connect to it.
-> They send you their real IP ( their internal is internet-global or they have a NAT that understands FTP) BUT they don't open the port.

Can they make a dir on ftp.oreilly.com for example, using ftp.exe? I guess not, so its not your fault, its their..

They have to correct their configuration OR use a command line FTP client that does PASSIVE mode.

So..if its working in all other places why do you want to ftp through DOS??
I mean surely if the FTP server's accepting connections through browsers the port is open ; so its not a firewall problem at all either on the client or the server or the firewall its something to do with CMD.

What I fail to understand is if you can connect through a FTP client which already has GUI's inbuilt you can get/put files through it ..cant you?...why do u need CMD at all?

Maybe Im missing something...can you please clarify?

Cheers
Arvind
p.s...I know theres a graphical frontend for ssh which allows you get and put files..u might want to try googling on those lines if thats what you mean

Wait ..here it is : http://winscp.net/eng/download.php

"The client (customer) is the king" but you're right, they should use a REAL ftp program.

So firstly ..Is there any way to force FTP to happen in Passive mode??...

Secondly r u saying that if A is sitting on Client 192.168.0.1 and wants to FTP to 202.x.x.x he will do something like ftp>open 202.x.x.x , the firewall NAT rules take over and the 202.x.x.x IP will now be Xlated to a 192.x.x.x ...thus allowing the connection to proceed...so since Client A and the remote machine are on the same 192.x.x.x network shouldnt it work??

And since the browser is able to connect though ftp doesnt it mean ftp (21) is open on the Firewall or is it that FTP(Active) and FTP(Passive) are assigned 20 and 21 ..I remember 2 ports assigned for FTP in that list.

Can u clarify my doubts?
Cheers
Arvind

Should be
to put the server in passive mode (and the client who interprets the "Entering PASV" should know that it has to switch to passive)
But does not work... ftp.exe for me is a toy, it uses active only while passive is the most common.

I think here your are mixing things : There are two different things
-> The IP header of a packet . Source IP and Destination IP.
-> The Data part of a packet . In active mode, the client will send PORT 192,168,0,1,4,1. Which means, hey you, connect on me (192.168.0.1) on port 4*256+1=1025.
So the Network packet will be:
When the NAT device on the client sees an FTP packet (it recognizes it because destination port is 21), it looks in THE DATA of the packet, it sees 192,168,0,1,4,1 and translates it to the REAL (accessible from Internet) IP adress.
becomes:

The server will acknowledge the packet to 201.1.1.1:2000 and then open a connection to 201.1.1.1 :1025

I'm very bad at explaining things
Have a look here (this guy should give me some money I've given his link hundred of times)
http://slacksite.com/other/ftp.html

Now you may wonder why we put in the DATA part the IP of the client.
This is because FTP can be used to do FXP (and nasty stealth scanning or Denial of Service also): The client A ask server B to send the data to client C.
www.faqs.org/rfcs/rfc959.html

Maybe begin to understand how NAT works, then how FTP works and then how both works.

Happy

Hi folks and thanks for all suggestions...
Just to clarify: I don't use ftp.exe, neither would I ever make a system that does, but the client has a server-app that does, closed source... So there's nothing I can do about that....
I'll try to google a litte more for active ftp...

Hmmmm, I feel kinda stupid right now, I just needed to

modprobe ip_nat_ftp

Thought I just needed ip_conntrack_ftp, oh well, we live and learn don't we?

Thanx again for all suggestions and sollutions

No problem, I'm also here to learn. Anyway it also helped someone else.

Sir_Limpalot
Please do not post your question more than once in the forums. As a new LQer, I suggest you check the site rules:
http://www.linuxquestions.org/linux/rules.html

It just might be you can grab a copy of arachne (the dos browser - don't laugh) and that
might get your customer in with an interface he can manage.

Those were the days... nobody knew what multitasking was, '640k was enough memory for anyone- ever'
according to Bill Gates ...etc.

About cross-posting: Sorry, won't happen again