You are viewing a plain text version of this content. The canonical link for it is here.
Posted to ftpserver-users@mina.apache.org by Aidan Diffey <ai...@googlemail.com> on 2010/03/12 11:53:27 UTC
Fwd: Binding FTP data port
Hello All.
I am trying to run Apache FTP server on a Linux box and I ma having problems
with the port binding.
I have setup iptables on the Linux machine to redirect ports 20 and 21 to
10120 and 10121 respectivly.
In my application code, I set the port number on the ListenerFactory to
10121 which appears to work (as I can see the port binding using a netstat
-a).
How do I set the port binding for the FTP data connection (20) in my code?
I have tried the following:
ListenerFactory ftpfactory = new ListenerFactory();
ftpfactory.setPort(10121);
DataConnectionConfigurationFactory dataConnFactory = new
DataConnectionConfigurationFactory();
dataConnFactory.setActiveLocalPort(10120);
ftpfactory.setDataConnectionConfiguration(dataConnFactory.createDataConnectionConfiguration());
serverFactory.addListener("default",
ftpfactory.createListener());
ftpServer = serverFactory.createServer();
Using the code above does not yeld the result that I was expecting (a
binding to 10120) as I cannot see it using netstat -a and the connection
does not appear to work.
Can anyone advise me on how to configure the port binding for the FTP data
port.
Regards
Re: Binding FTP data port
Posted by Sai Pullabhotla <sa...@jmethods.com>.
You do not really need any entries in IP tables for passive data
connections. Passive data ports are randomly picked up by the FTP
server which are always over port 1024. This means that the
applications does not require root access. You could also define a
range of ports for example (30000 through 30200) in which case the FTP
server ensures it is using a passive port in the specified port range.
If your devices connect through a firewall, the firewall has to allow
incoming connections for the passive data connections. Depending on if
you defined a range of ports or not, you may have to open some ports
on the firewall. If the devices are all internal you need not do
anything.
Hope this helps.
Regards,
Sai Pullabhotla
On Fri, Mar 12, 2010 at 7:22 AM, Aidan Diffey
<ai...@googlemail.com> wrote:
> Thank you for the information. This means that I have to re-think as I
> require, for example, 100 devices to send information to my server at the
> same time.
>
> Back to the original question. Why does the connection not work when I am
> not running as root?
>
> I beleive that the device(s) are using a passive connection as I get the
> following trace (when running as root)
>
> *13:14:27,390 INFO [FtpLoggingFilter] CREATED
> 13:14:27,398 INFO [FtpLoggingFilter] OPENED
> 13:14:27,422 INFO [FtpLoggingFilter] SENT: 220 Service ready for new user.
>
> 13:14:27,472 INFO [FtpLoggingFilter] RECEIVED: USER <USERNAME>
> 13:14:27,475 INFO [FtpLoggingFilter] SENT: 331 User name okay, need
> password for <USERNAME>.
>
> 13:14:27,525 INFO [FtpLoggingFilter] RECEIVED: PASS *****
> 13:14:27,535 INFO [PASS] Login success - FTPROOT
> 13:14:27,536 INFO [FtpLoggingFilter] SENT: 230 User logged in, proceed.
>
> 13:14:27,584 INFO [FtpLoggingFilter] RECEIVED: PWD
> 13:14:27,585 INFO [FtpLoggingFilter] SENT: 257 "/" is current directory.
>
> 13:14:27,634 INFO [FtpLoggingFilter] RECEIVED: CWD <DIRECTORY>
> 13:14:27,635 INFO [FtpLoggingFilter] SENT: 250 Ok
>
> 13:14:27,684 INFO [FtpLoggingFilter] RECEIVED: CWD TestConn
> 13:14:27,685 INFO [FtpLoggingFilter] SENT: 250 Ok
>
> 13:14:27,734 INFO [FtpLoggingFilter] RECEIVED: EPSV
> 13:14:27,737 INFO [FtpLoggingFilter] SENT: 229 Entering Passive Mode
> (|||10120|)
>
> 13:14:27,844 INFO [FtpLoggingFilter] RECEIVED: TYPE I
> 13:14:27,846 INFO [FtpLoggingFilter] SENT: 200 Command TYPE okay.
>
> 13:14:27,893 INFO [FtpLoggingFilter] RECEIVED: STOR TestConn.xml
> 13:14:27,948 INFO [FtpLoggingFilter] SENT: 150 Ok
>
> 13:14:27,948 INFO [FtpLoggingFilter] SENT: 226 Ok
>
> 13:14:28,031 INFO [FtpLoggingFilter] RECEIVED: QUIT
> 13:14:28,033 INFO [FtpLoggingFilter] SENT: 221 Goodbye.
>
> 13:14:28,033 INFO [FtpLoggingFilter] CLOSED*
>
>
> When I am not running as root, I get the following trace:
>
> *13:17:27,578 INFO [FtpLoggingFilter] CREATED
> 13:17:27,587 INFO [FtpLoggingFilter] OPENED
> 13:17:27,615 INFO [FtpLoggingFilter] SENT: 220 Service ready for new user.
>
> 13:17:27,666 INFO [FtpLoggingFilter] RECEIVED: USER <USERNAME>
> 13:17:27,669 INFO [FtpLoggingFilter] SENT: 331 User name okay, need
> password for **<USERNAME>**.
>
> 13:17:28,213 INFO [FtpLoggingFilter] RECEIVED: PASS *****
> 13:17:28,222 INFO [PASS] Login success - FTPROOT
> 13:17:28,223 INFO [FtpLoggingFilter] SENT: 230 User logged in, proceed.
>
> 13:17:28,271 INFO [FtpLoggingFilter] RECEIVED: PWD
> 13:17:28,272 INFO [FtpLoggingFilter] SENT: 257 "/" is current directory.
>
> 13:17:28,320 INFO [FtpLoggingFilter] RECEIVED: CWD **<DIRECTORY>*
> *13:17:28,320 INFO [FtpLoggingFilter] SENT: 250 Ok
>
> 13:17:28,367 INFO [FtpLoggingFilter] RECEIVED: CWD TestConn
> 13:17:28,367 INFO [FtpLoggingFilter] SENT: 250 Ok
>
> 13:17:28,414 INFO [FtpLoggingFilter] RECEIVED: EPSV
> 13:17:28,417 INFO [FtpLoggingFilter] SENT: 229 Entering Passive Mode
> (|||10120|)
>
> 13:17:28,512 INFO [FtpLoggingFilter] RECEIVED: PASV
> 13:17:28,514 INFO [FtpLoggingFilter] SENT: 227 Entering Passive Mode
> (10,101,64,144,39,136)
>
> 13:17:28,817 WARN [FtpLoggingFilter] EXCEPTION :
> java.io.IOException: Connection reset by peer
> at sun.nio.ch.FileDispatcher.read0(Native Method)
> at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:21)
> at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:233)
> at sun.nio.ch.IOUtil.read(IOUtil.java:206)
> at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:207)
> at
> org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:179)
> at
> org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:41)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:585)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:563)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:552)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor.access$400(AbstractPollingIoProcessor.java:56)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:891)
> at
> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:651)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:676)
> at java.lang.Thread.run(Thread.java:595)
> 13:17:28,819 ERROR [DefaultFtpHandler] Exception caught, closing session
> java.io.IOException: Connection reset by peer
> at sun.nio.ch.FileDispatcher.read0(Native Method)
> at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:21)
> at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:233)
> at sun.nio.ch.IOUtil.read(IOUtil.java:206)
> at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:207)
> at
> org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:179)
> at
> org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:41)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:585)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:563)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:552)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor.access$400(AbstractPollingIoProcessor.java:56)
> at
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:891)
> at
> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:651)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:676)
> at java.lang.Thread.run(Thread.java:595)
> 13:17:28,819 INFO [FtpLoggingFilter] CLOSED*
>
> This suggests that something couldn't bind correctly.
>
> I have the following setup in IPTABLES:
>
> *DNAT tcp -- anywhere anywhere tcp
> dpt:ftp-data to:<ipaddress>:10120
> DNAT tcp -- anywhere anywhere tcp dpt:ftp to:
> **<ipaddress>**:10121
> *
> Which maps port 20 to 10120 and 21 to 10121, and the following in my server
> code:
>
>
> * DataConnectionConfigurationFactory dataConnFactory = new
> DataConnectionConfigurationFactory();
> dataConnFactory.setPassivePorts("10120");
> *
>
> Thank you for the continued help.
>
>
> On Fri, Mar 12, 2010 at 12:59 PM, Niklas Gustavsson <ni...@protocol7.com>wrote:
>
>> On Fri, Mar 12, 2010 at 12:57 PM, Aidan Diffey
>> <ai...@googlemail.com> wrote:
>> > Further information on the port binding:
>> > If I run my application as root, all is well. If I run as another user,
>> I
>> > get the "Connection reset by peer" message when the device attempts to
>> > connect and send a file to the server.
>> >
>> > Let me check that I understand you.
>> >
>> > The device / devices that are attaching to my FTPServer use ports 20 and
>> 21.
>>
>> The devices must be configured to use passive connections (the default
>> is usually active connections).
>>
>> > If I map using IPTables port 20 to 10120 and port 21 to 10121 then I need
>> to
>> > bind my server to ports 10120 and 10121.
>> > As I stated in the previous post, I cannot bind the server to 10120 and
>> see
>> > it appear on a netstat -a command.
>>
>> You will only see the port after the client sends the PASV command and
>> it will only live for as long as the transfer over the data connection
>> is in progress.
>>
>> > As for your second point, If I have 10 devices trying to communicate with
>> my
>> > FTPServer on ports 10120 and 10121, will they be able to connect
>> > simultaneously, or will they have to connect sequentially?
>>
>> They will be able to connect to the control socket simultaneously, but
>> only do data transfers sequentially.
>>
>> /niklas
>>
>
Re: Binding FTP data port
Posted by Niklas Gustavsson <ni...@protocol7.com>.
On Fri, Mar 12, 2010 at 4:43 PM, Aidan Diffey
<ai...@googlemail.com> wrote:
> I have fixed it using another IPTABLES command:
> *
> iptabes -A PREROUTING -t nat -p tcp -m tcp --dport 21 -j REDIRECT
> --to-ports 10121*
>
> This appears to fix the connection problem.
It seems like we should have pointed you to this page in our
documentation, sorry for not remembering it earlier.
http://mina.apache.org/ftpserver/ftpserver-and-port-21-on-linux.html
/niklas
Re: Binding FTP data port
Posted by Aidan Diffey <ai...@googlemail.com>.
All.
I have fixed it using another IPTABLES command:
*
iptabes -A PREROUTING -t nat -p tcp -m tcp --dport 21 -j REDIRECT
--to-ports 10121*
This appears to fix the connection problem.
Thank you for all your help.
On Fri, Mar 12, 2010 at 3:19 PM, Aidan Diffey
<ai...@googlemail.com>wrote:
> It looks like when not running as root it is failing the EPSV command and
> falling back to normal PASV mode.
>
> One of my friends has just pointed out that there may be an issue using FTP
> with iptables and NAT.
>
>
> On Fri, Mar 12, 2010 at 3:09 PM, Niklas Gustavsson <ni...@protocol7.com>wrote:
>
>> On Fri, Mar 12, 2010 at 3:54 PM, Aidan Diffey
>> <ai...@googlemail.com> wrote:
>> > *--ROOT---
>> > EPSV
>> > 229 Entering Passive Mode (|||40112|)
>> >
>> > --NO ROOT USER--
>>
>> > EPSV
>> > 229 Entering Passive Mode (|||46726|)
>> > PASV
>> > 227 Entering Passive Mode (10,101,64,144,172,26)
>> > 227 Entering Passive Mode (10,101,64,144,172,26)
>>
>> How come the client sends different commands depending on wether you
>> run the server as root or not, seems odd?
>>
>> /niklas
>>
>
>
Re: Binding FTP data port
Posted by Aidan Diffey <ai...@googlemail.com>.
It looks like when not running as root it is failing the EPSV command and
falling back to normal PASV mode.
One of my friends has just pointed out that there may be an issue using FTP
with iptables and NAT.
On Fri, Mar 12, 2010 at 3:09 PM, Niklas Gustavsson <ni...@protocol7.com>wrote:
> On Fri, Mar 12, 2010 at 3:54 PM, Aidan Diffey
> <ai...@googlemail.com> wrote:
> > *--ROOT---
> > EPSV
> > 229 Entering Passive Mode (|||40112|)
> >
> > --NO ROOT USER--
>
> > EPSV
> > 229 Entering Passive Mode (|||46726|)
> > PASV
> > 227 Entering Passive Mode (10,101,64,144,172,26)
> > 227 Entering Passive Mode (10,101,64,144,172,26)
>
> How come the client sends different commands depending on wether you
> run the server as root or not, seems odd?
>
> /niklas
>
Re: Binding FTP data port
Posted by Niklas Gustavsson <ni...@protocol7.com>.
On Fri, Mar 12, 2010 at 3:54 PM, Aidan Diffey
<ai...@googlemail.com> wrote:
> *--ROOT---
> EPSV
> 229 Entering Passive Mode (|||40112|)
>
> --NO ROOT USER--
> EPSV
> 229 Entering Passive Mode (|||46726|)
> PASV
> 227 Entering Passive Mode (10,101,64,144,172,26)
> 227 Entering Passive Mode (10,101,64,144,172,26)
How come the client sends different commands depending on wether you
run the server as root or not, seems odd?
/niklas
Re: Binding FTP data port
Posted by Aidan Diffey <ai...@googlemail.com>.
Okay, another update (and hopefully the last).
I have used wireshark to get some information about the problem running as
both root and the other user, and the results are as follows:
*--ROOT---
220 Service ready for new user.
USER FTPROOT
331 User name okay, need password for FTPROOT.
PASS ********
230 User logged in, proceed.
PWD
257 "/" is current directory.
CWD S501
250 Ok
CWD TestConn
250 Ok
EPSV
229 Entering Passive Mode (|||40112|)
TYPE I
200 Command TYPE okay.
STOR TestConn.xml
150 Ok
226 Ok
QUIT
221 Goodbye.
--NO ROOT USER--
220 Service ready for new user.
USER FTPROOT
331 User name okay, need password for FTPROOT.
PASS ********
230 User logged in, proceed.
PWD
257 "/" is current directory.
CWD S501
250 Ok
CWD TestConn
250 Ok
EPSV
229 Entering Passive Mode (|||46726|)
PASV
227 Entering Passive Mode (10,101,64,144,172,26)
227 Entering Passive Mode (10,101,64,144,172,26)
>> FAIL <<*
Does this help at all?
On Fri, Mar 12, 2010 at 2:38 PM, Aidan Diffey
<ai...@googlemail.com>wrote:
> These numbers are below the 1024 port number. Does that mean that only root
> can bind these ports?
>
>
> On Fri, Mar 12, 2010 at 2:28 PM, Sai Pullabhotla <
> sai.pullabhotla@jmethods.com> wrote:
>
>> The last two numbers give the port information to the client so the
>> client can connect back to the server for sending/receiving data. The
>> actual port number is calculated using (256*n1) + n2. Of course, this
>> is the standard syntax defined in the FTP protocol.
>>
>> Regards,
>> Sai Pullabhotla
>>
>>
>>
>>
>>
>> On Fri, Mar 12, 2010 at 8:21 AM, Aidan Diffey
>> <ai...@googlemail.com> wrote:
>> > Just out of interest, what do the numbers mean in the line:
>> >
>> > *227 Entering Passive Mode (10,101,64,144,173,138)*
>> >
>> > I can see the 10 101 64 144 is the IP address of the server, but what
>> about
>> > the 173, 138 numbers?
>> >
>> > On Fri, Mar 12, 2010 at 2:07 PM, Aidan Diffey
>> > <ai...@googlemail.com>wrote:
>> >
>> >> Sorry, that IP tables entry should have been:
>> >>
>> >>
>> >> *DNAT tcp -- anywhere anywhere tcp
>> dpt:ftp
>> >> to:10.101.64.144:10121
>> >> *
>> >>
>> >>
>> >>
>> >> On Fri, Mar 12, 2010 at 1:56 PM, Niklas Gustavsson <
>> niklas@protocol7.com>wrote:
>> >>
>> >>> On Fri, Mar 12, 2010 at 2:46 PM, Niklas Gustavsson <
>> niklas@protocol7.com>
>> >>> wrote:
>> >>> > In these case, are you really running behind iptables? Because, it
>> >>> > struck me that since you map the ports, the client will try to
>> connect
>> >>> > to the server on 10120 since that's what the server told him to do
>> in
>> >>> > the response to the PASV command. He will not know to connect on
>> port
>> >>> > 20.
>> >>>
>> >>> That being said, we currently support providing an "external" IP
>> >>> address for passive connection, for use when we're behind a NAT. But,
>> >>> we do not support providing an "external" port, for this kind of use.
>> >>> We surely could, if people are really interested in port mapping
>> >>> passive connections. I doubt it is that useful, but who knows :-)
>> >>>
>> >>> /niklas
>> >>>
>> >>
>> >>
>> >
>>
>
>
Re: Binding FTP data port
Posted by Aidan Diffey <ai...@googlemail.com>.
These numbers are below the 1024 port number. Does that mean that only root
can bind these ports?
On Fri, Mar 12, 2010 at 2:28 PM, Sai Pullabhotla <
sai.pullabhotla@jmethods.com> wrote:
> The last two numbers give the port information to the client so the
> client can connect back to the server for sending/receiving data. The
> actual port number is calculated using (256*n1) + n2. Of course, this
> is the standard syntax defined in the FTP protocol.
>
> Regards,
> Sai Pullabhotla
>
>
>
>
>
> On Fri, Mar 12, 2010 at 8:21 AM, Aidan Diffey
> <ai...@googlemail.com> wrote:
> > Just out of interest, what do the numbers mean in the line:
> >
> > *227 Entering Passive Mode (10,101,64,144,173,138)*
> >
> > I can see the 10 101 64 144 is the IP address of the server, but what
> about
> > the 173, 138 numbers?
> >
> > On Fri, Mar 12, 2010 at 2:07 PM, Aidan Diffey
> > <ai...@googlemail.com>wrote:
> >
> >> Sorry, that IP tables entry should have been:
> >>
> >>
> >> *DNAT tcp -- anywhere anywhere tcp
> dpt:ftp
> >> to:10.101.64.144:10121
> >> *
> >>
> >>
> >>
> >> On Fri, Mar 12, 2010 at 1:56 PM, Niklas Gustavsson <
> niklas@protocol7.com>wrote:
> >>
> >>> On Fri, Mar 12, 2010 at 2:46 PM, Niklas Gustavsson <
> niklas@protocol7.com>
> >>> wrote:
> >>> > In these case, are you really running behind iptables? Because, it
> >>> > struck me that since you map the ports, the client will try to
> connect
> >>> > to the server on 10120 since that's what the server told him to do in
> >>> > the response to the PASV command. He will not know to connect on port
> >>> > 20.
> >>>
> >>> That being said, we currently support providing an "external" IP
> >>> address for passive connection, for use when we're behind a NAT. But,
> >>> we do not support providing an "external" port, for this kind of use.
> >>> We surely could, if people are really interested in port mapping
> >>> passive connections. I doubt it is that useful, but who knows :-)
> >>>
> >>> /niklas
> >>>
> >>
> >>
> >
>
Re: Binding FTP data port
Posted by Sai Pullabhotla <sa...@jmethods.com>.
The last two numbers give the port information to the client so the
client can connect back to the server for sending/receiving data. The
actual port number is calculated using (256*n1) + n2. Of course, this
is the standard syntax defined in the FTP protocol.
Regards,
Sai Pullabhotla
On Fri, Mar 12, 2010 at 8:21 AM, Aidan Diffey
<ai...@googlemail.com> wrote:
> Just out of interest, what do the numbers mean in the line:
>
> *227 Entering Passive Mode (10,101,64,144,173,138)*
>
> I can see the 10 101 64 144 is the IP address of the server, but what about
> the 173, 138 numbers?
>
> On Fri, Mar 12, 2010 at 2:07 PM, Aidan Diffey
> <ai...@googlemail.com>wrote:
>
>> Sorry, that IP tables entry should have been:
>>
>>
>> *DNAT tcp -- anywhere anywhere tcp dpt:ftp
>> to:10.101.64.144:10121
>> *
>>
>>
>>
>> On Fri, Mar 12, 2010 at 1:56 PM, Niklas Gustavsson <ni...@protocol7.com>wrote:
>>
>>> On Fri, Mar 12, 2010 at 2:46 PM, Niklas Gustavsson <ni...@protocol7.com>
>>> wrote:
>>> > In these case, are you really running behind iptables? Because, it
>>> > struck me that since you map the ports, the client will try to connect
>>> > to the server on 10120 since that's what the server told him to do in
>>> > the response to the PASV command. He will not know to connect on port
>>> > 20.
>>>
>>> That being said, we currently support providing an "external" IP
>>> address for passive connection, for use when we're behind a NAT. But,
>>> we do not support providing an "external" port, for this kind of use.
>>> We surely could, if people are really interested in port mapping
>>> passive connections. I doubt it is that useful, but who knows :-)
>>>
>>> /niklas
>>>
>>
>>
>
Re: Binding FTP data port
Posted by Aidan Diffey <ai...@googlemail.com>.
Just out of interest, what do the numbers mean in the line:
*227 Entering Passive Mode (10,101,64,144,173,138)*
I can see the 10 101 64 144 is the IP address of the server, but what about
the 173, 138 numbers?
On Fri, Mar 12, 2010 at 2:07 PM, Aidan Diffey
<ai...@googlemail.com>wrote:
> Sorry, that IP tables entry should have been:
>
>
> *DNAT tcp -- anywhere anywhere tcp dpt:ftp
> to:10.101.64.144:10121
> *
>
>
>
> On Fri, Mar 12, 2010 at 1:56 PM, Niklas Gustavsson <ni...@protocol7.com>wrote:
>
>> On Fri, Mar 12, 2010 at 2:46 PM, Niklas Gustavsson <ni...@protocol7.com>
>> wrote:
>> > In these case, are you really running behind iptables? Because, it
>> > struck me that since you map the ports, the client will try to connect
>> > to the server on 10120 since that's what the server told him to do in
>> > the response to the PASV command. He will not know to connect on port
>> > 20.
>>
>> That being said, we currently support providing an "external" IP
>> address for passive connection, for use when we're behind a NAT. But,
>> we do not support providing an "external" port, for this kind of use.
>> We surely could, if people are really interested in port mapping
>> passive connections. I doubt it is that useful, but who knows :-)
>>
>> /niklas
>>
>
>
Re: Binding FTP data port
Posted by Aidan Diffey <ai...@googlemail.com>.
Sorry, that IP tables entry should have been:
*DNAT tcp -- anywhere anywhere tcp dpt:ftp
to:10.101.64.144:10121
*
On Fri, Mar 12, 2010 at 1:56 PM, Niklas Gustavsson <ni...@protocol7.com>wrote:
> On Fri, Mar 12, 2010 at 2:46 PM, Niklas Gustavsson <ni...@protocol7.com>
> wrote:
> > In these case, are you really running behind iptables? Because, it
> > struck me that since you map the ports, the client will try to connect
> > to the server on 10120 since that's what the server told him to do in
> > the response to the PASV command. He will not know to connect on port
> > 20.
>
> That being said, we currently support providing an "external" IP
> address for passive connection, for use when we're behind a NAT. But,
> we do not support providing an "external" port, for this kind of use.
> We surely could, if people are really interested in port mapping
> passive connections. I doubt it is that useful, but who knows :-)
>
> /niklas
>
Re: Binding FTP data port
Posted by Aidan Diffey <ai...@googlemail.com>.
Hello All.
I have changed the iptables to only do port 21:
*DNAT udp -- anywhere anywhere udp
dpt:snmptrap to:10.101.64.144:10162*
and I added the line *dataConnFactory.setPassivePorts("30000 - 30200"); *to
my server code, and I am still getting the same connection problem:
*14:05:31,261 INFO [FtpLoggingFilter] OPENED
14:05:31,261 INFO [FtpLoggingFilter] SENT: 220 Service ready for new user.
14:05:31,311 INFO [FtpLoggingFilter] RECEIVED: USER FTPROOT
14:05:31,311 INFO [FtpLoggingFilter] SENT: 331 User name okay, need
password for FTPROOT.
14:05:31,363 INFO [FtpLoggingFilter] RECEIVED: PASS *****
14:05:31,364 INFO [PASS] Login success - FTPROOT
14:05:31,364 INFO [FtpLoggingFilter] SENT: 230 User logged in, proceed.
14:05:31,410 INFO [FtpLoggingFilter] RECEIVED: PWD
14:05:31,411 INFO [FtpLoggingFilter] SENT: 257 "/" is current directory.
14:05:31,458 INFO [FtpLoggingFilter] RECEIVED: CWD ANPR_S501
14:05:31,459 INFO [FtpLoggingFilter] SENT: 250 Ok
14:05:31,502 INFO [FtpLoggingFilter] RECEIVED: CWD TestConn
14:05:31,503 INFO [FtpLoggingFilter] SENT: 250 Ok
14:05:31,549 INFO [FtpLoggingFilter] RECEIVED: EPSV
14:05:31,550 INFO [FtpLoggingFilter] SENT: 229 Entering Passive Mode
(|||30000|)
14:05:31,655 INFO [FtpLoggingFilter] RECEIVED: PASV
14:05:31,656 INFO [FtpLoggingFilter] SENT: 227 Entering Passive Mode
(10,101,64,144,117,48)
14:05:31,909 WARN [FtpLoggingFilter] EXCEPTION :
java.io.IOException: Connection reset by peer
at sun.nio.ch.FileDispatcher.read0(Native Method)
at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:21)
at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:233)
at sun.nio.ch.IOUtil.read(IOUtil.java:206)
at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:207)
at
org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:179)
at
org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:41)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:585)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:563)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:552)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.access$400(AbstractPollingIoProcessor.java:56)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:891)
at
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:651)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:676)
at java.lang.Thread.run(Thread.java:595)
14:05:31,909 ERROR [DefaultFtpHandler] Exception caught, closing session
java.io.IOException: Connection reset by peer
at sun.nio.ch.FileDispatcher.read0(Native Method)
at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:21)
at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:233)
at sun.nio.ch.IOUtil.read(IOUtil.java:206)
at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:207)
at
org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:179)
at
org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:41)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:585)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:563)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:552)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.access$400(AbstractPollingIoProcessor.java:56)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:891)
at
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:651)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:676)
at java.lang.Thread.run(Thread.java:595)
14:05:31,909 INFO [FtpLoggingFilter] CLOSED*
I can see the change in port on the *14:05:31,550 INFO [FtpLoggingFilter]
SENT: 229 Entering Passive Mode (|||30000|) *line (the 30000).
Still not working :-(
On Fri, Mar 12, 2010 at 1:56 PM, Niklas Gustavsson <ni...@protocol7.com>wrote:
> On Fri, Mar 12, 2010 at 2:46 PM, Niklas Gustavsson <ni...@protocol7.com>
> wrote:
> > In these case, are you really running behind iptables? Because, it
> > struck me that since you map the ports, the client will try to connect
> > to the server on 10120 since that's what the server told him to do in
> > the response to the PASV command. He will not know to connect on port
> > 20.
>
> That being said, we currently support providing an "external" IP
> address for passive connection, for use when we're behind a NAT. But,
> we do not support providing an "external" port, for this kind of use.
> We surely could, if people are really interested in port mapping
> passive connections. I doubt it is that useful, but who knows :-)
>
> /niklas
>
Re: Binding FTP data port
Posted by Niklas Gustavsson <ni...@protocol7.com>.
On Fri, Mar 12, 2010 at 2:46 PM, Niklas Gustavsson <ni...@protocol7.com> wrote:
> In these case, are you really running behind iptables? Because, it
> struck me that since you map the ports, the client will try to connect
> to the server on 10120 since that's what the server told him to do in
> the response to the PASV command. He will not know to connect on port
> 20.
That being said, we currently support providing an "external" IP
address for passive connection, for use when we're behind a NAT. But,
we do not support providing an "external" port, for this kind of use.
We surely could, if people are really interested in port mapping
passive connections. I doubt it is that useful, but who knows :-)
/niklas
Re: Binding FTP data port
Posted by Niklas Gustavsson <ni...@protocol7.com>.
On Fri, Mar 12, 2010 at 2:22 PM, Aidan Diffey
<ai...@googlemail.com> wrote:
> Thank you for the information. This means that I have to re-think as I
> require, for example, 100 devices to send information to my server at the
> same time.
You could map more ports I guess, but read more below :-)
> Back to the original question. Why does the connection not work when I am
> not running as root?
In these case, are you really running behind iptables? Because, it
struck me that since you map the ports, the client will try to connect
to the server on 10120 since that's what the server told him to do in
the response to the PASV command. He will not know to connect on port
20.
Why do you need to port map the data connection? Instead, could you
not only port map the control socket (port 21) and then let the server
pick a passive port >1024 (and if needed configure this in your
firewall).
/niklas
Re: Binding FTP data port
Posted by Aidan Diffey <ai...@googlemail.com>.
Thank you for the information. This means that I have to re-think as I
require, for example, 100 devices to send information to my server at the
same time.
Back to the original question. Why does the connection not work when I am
not running as root?
I beleive that the device(s) are using a passive connection as I get the
following trace (when running as root)
*13:14:27,390 INFO [FtpLoggingFilter] CREATED
13:14:27,398 INFO [FtpLoggingFilter] OPENED
13:14:27,422 INFO [FtpLoggingFilter] SENT: 220 Service ready for new user.
13:14:27,472 INFO [FtpLoggingFilter] RECEIVED: USER <USERNAME>
13:14:27,475 INFO [FtpLoggingFilter] SENT: 331 User name okay, need
password for <USERNAME>.
13:14:27,525 INFO [FtpLoggingFilter] RECEIVED: PASS *****
13:14:27,535 INFO [PASS] Login success - FTPROOT
13:14:27,536 INFO [FtpLoggingFilter] SENT: 230 User logged in, proceed.
13:14:27,584 INFO [FtpLoggingFilter] RECEIVED: PWD
13:14:27,585 INFO [FtpLoggingFilter] SENT: 257 "/" is current directory.
13:14:27,634 INFO [FtpLoggingFilter] RECEIVED: CWD <DIRECTORY>
13:14:27,635 INFO [FtpLoggingFilter] SENT: 250 Ok
13:14:27,684 INFO [FtpLoggingFilter] RECEIVED: CWD TestConn
13:14:27,685 INFO [FtpLoggingFilter] SENT: 250 Ok
13:14:27,734 INFO [FtpLoggingFilter] RECEIVED: EPSV
13:14:27,737 INFO [FtpLoggingFilter] SENT: 229 Entering Passive Mode
(|||10120|)
13:14:27,844 INFO [FtpLoggingFilter] RECEIVED: TYPE I
13:14:27,846 INFO [FtpLoggingFilter] SENT: 200 Command TYPE okay.
13:14:27,893 INFO [FtpLoggingFilter] RECEIVED: STOR TestConn.xml
13:14:27,948 INFO [FtpLoggingFilter] SENT: 150 Ok
13:14:27,948 INFO [FtpLoggingFilter] SENT: 226 Ok
13:14:28,031 INFO [FtpLoggingFilter] RECEIVED: QUIT
13:14:28,033 INFO [FtpLoggingFilter] SENT: 221 Goodbye.
13:14:28,033 INFO [FtpLoggingFilter] CLOSED*
When I am not running as root, I get the following trace:
*13:17:27,578 INFO [FtpLoggingFilter] CREATED
13:17:27,587 INFO [FtpLoggingFilter] OPENED
13:17:27,615 INFO [FtpLoggingFilter] SENT: 220 Service ready for new user.
13:17:27,666 INFO [FtpLoggingFilter] RECEIVED: USER <USERNAME>
13:17:27,669 INFO [FtpLoggingFilter] SENT: 331 User name okay, need
password for **<USERNAME>**.
13:17:28,213 INFO [FtpLoggingFilter] RECEIVED: PASS *****
13:17:28,222 INFO [PASS] Login success - FTPROOT
13:17:28,223 INFO [FtpLoggingFilter] SENT: 230 User logged in, proceed.
13:17:28,271 INFO [FtpLoggingFilter] RECEIVED: PWD
13:17:28,272 INFO [FtpLoggingFilter] SENT: 257 "/" is current directory.
13:17:28,320 INFO [FtpLoggingFilter] RECEIVED: CWD **<DIRECTORY>*
*13:17:28,320 INFO [FtpLoggingFilter] SENT: 250 Ok
13:17:28,367 INFO [FtpLoggingFilter] RECEIVED: CWD TestConn
13:17:28,367 INFO [FtpLoggingFilter] SENT: 250 Ok
13:17:28,414 INFO [FtpLoggingFilter] RECEIVED: EPSV
13:17:28,417 INFO [FtpLoggingFilter] SENT: 229 Entering Passive Mode
(|||10120|)
13:17:28,512 INFO [FtpLoggingFilter] RECEIVED: PASV
13:17:28,514 INFO [FtpLoggingFilter] SENT: 227 Entering Passive Mode
(10,101,64,144,39,136)
13:17:28,817 WARN [FtpLoggingFilter] EXCEPTION :
java.io.IOException: Connection reset by peer
at sun.nio.ch.FileDispatcher.read0(Native Method)
at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:21)
at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:233)
at sun.nio.ch.IOUtil.read(IOUtil.java:206)
at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:207)
at
org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:179)
at
org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:41)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:585)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:563)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:552)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.access$400(AbstractPollingIoProcessor.java:56)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:891)
at
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:651)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:676)
at java.lang.Thread.run(Thread.java:595)
13:17:28,819 ERROR [DefaultFtpHandler] Exception caught, closing session
java.io.IOException: Connection reset by peer
at sun.nio.ch.FileDispatcher.read0(Native Method)
at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:21)
at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:233)
at sun.nio.ch.IOUtil.read(IOUtil.java:206)
at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:207)
at
org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:179)
at
org.apache.mina.transport.socket.nio.NioProcessor.read(NioProcessor.java:41)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:585)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:563)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:552)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.access$400(AbstractPollingIoProcessor.java:56)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:891)
at
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:651)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:676)
at java.lang.Thread.run(Thread.java:595)
13:17:28,819 INFO [FtpLoggingFilter] CLOSED*
This suggests that something couldn't bind correctly.
I have the following setup in IPTABLES:
*DNAT tcp -- anywhere anywhere tcp
dpt:ftp-data to:<ipaddress>:10120
DNAT tcp -- anywhere anywhere tcp dpt:ftp to:
**<ipaddress>**:10121
*
Which maps port 20 to 10120 and 21 to 10121, and the following in my server
code:
* DataConnectionConfigurationFactory dataConnFactory = new
DataConnectionConfigurationFactory();
dataConnFactory.setPassivePorts("10120");
*
Thank you for the continued help.
On Fri, Mar 12, 2010 at 12:59 PM, Niklas Gustavsson <ni...@protocol7.com>wrote:
> On Fri, Mar 12, 2010 at 12:57 PM, Aidan Diffey
> <ai...@googlemail.com> wrote:
> > Further information on the port binding:
> > If I run my application as root, all is well. If I run as another user,
> I
> > get the "Connection reset by peer" message when the device attempts to
> > connect and send a file to the server.
> >
> > Let me check that I understand you.
> >
> > The device / devices that are attaching to my FTPServer use ports 20 and
> 21.
>
> The devices must be configured to use passive connections (the default
> is usually active connections).
>
> > If I map using IPTables port 20 to 10120 and port 21 to 10121 then I need
> to
> > bind my server to ports 10120 and 10121.
> > As I stated in the previous post, I cannot bind the server to 10120 and
> see
> > it appear on a netstat -a command.
>
> You will only see the port after the client sends the PASV command and
> it will only live for as long as the transfer over the data connection
> is in progress.
>
> > As for your second point, If I have 10 devices trying to communicate with
> my
> > FTPServer on ports 10120 and 10121, will they be able to connect
> > simultaneously, or will they have to connect sequentially?
>
> They will be able to connect to the control socket simultaneously, but
> only do data transfers sequentially.
>
> /niklas
>
Re: Binding FTP data port
Posted by Niklas Gustavsson <ni...@protocol7.com>.
On Fri, Mar 12, 2010 at 12:57 PM, Aidan Diffey
<ai...@googlemail.com> wrote:
> Further information on the port binding:
> If I run my application as root, all is well. If I run as another user, I
> get the "Connection reset by peer" message when the device attempts to
> connect and send a file to the server.
>
> Let me check that I understand you.
>
> The device / devices that are attaching to my FTPServer use ports 20 and 21.
The devices must be configured to use passive connections (the default
is usually active connections).
> If I map using IPTables port 20 to 10120 and port 21 to 10121 then I need to
> bind my server to ports 10120 and 10121.
> As I stated in the previous post, I cannot bind the server to 10120 and see
> it appear on a netstat -a command.
You will only see the port after the client sends the PASV command and
it will only live for as long as the transfer over the data connection
is in progress.
> As for your second point, If I have 10 devices trying to communicate with my
> FTPServer on ports 10120 and 10121, will they be able to connect
> simultaneously, or will they have to connect sequentially?
They will be able to connect to the control socket simultaneously, but
only do data transfers sequentially.
/niklas
Re: Binding FTP data port
Posted by Aidan Diffey <ai...@googlemail.com>.
Further information on the port binding:
If I run my application as root, all is well. If I run as another user, I
get the "Connection reset by peer" message when the device attempts to
connect and send a file to the server.
Let me check that I understand you.
The device / devices that are attaching to my FTPServer use ports 20 and 21.
If I map using IPTables port 20 to 10120 and port 21 to 10121 then I need to
bind my server to ports 10120 and 10121.
As I stated in the previous post, I cannot bind the server to 10120 and see
it appear on a netstat -a command.
As for your second point, If I have 10 devices trying to communicate with my
FTPServer on ports 10120 and 10121, will they be able to connect
simultaneously, or will they have to connect sequentially?
Reagrds
On Fri, Mar 12, 2010 at 11:15 AM, Niklas Gustavsson <ni...@protocol7.com>wrote:
> On Fri, Mar 12, 2010 at 11:53 AM, Aidan Diffey
> <ai...@googlemail.com> wrote:
> > dataConnFactory.setActiveLocalPort(10120);
>
> This setting only affects the local port on which the server will bind
> when connecting to the users port. Note that in active connections,
> the clients listens on a port to which the server will connect. So,
> this setting is of no use in your case.
>
> Instead, you should look into setting the allowed passive port. And,
> note that in the current releases, we only support one active user per
> passive port. So, if you only expose one passive port, only one user
> will be able to use a data connection at any given time.
>
> For 1.1.0, we plan to support multiple users per passive port.
>
> /niklas
>
Re: Binding FTP data port
Posted by Niklas Gustavsson <ni...@protocol7.com>.
On Fri, Mar 12, 2010 at 11:53 AM, Aidan Diffey
<ai...@googlemail.com> wrote:
> dataConnFactory.setActiveLocalPort(10120);
This setting only affects the local port on which the server will bind
when connecting to the users port. Note that in active connections,
the clients listens on a port to which the server will connect. So,
this setting is of no use in your case.
Instead, you should look into setting the allowed passive port. And,
note that in the current releases, we only support one active user per
passive port. So, if you only expose one passive port, only one user
will be able to use a data connection at any given time.
For 1.1.0, we plan to support multiple users per passive port.
/niklas