Switching to port 22...can't get past LIST command

General help on how to use Cerberus. Questions on how a particular feature works, how to use feature x with feature y... Please read the "How to use this forum" article before posting.
Post Reply
Tyree
User
Posts: 15
Joined: Tue Nov 17, 2009 3:18 pm

Switching to port 22...can't get past LIST command

Post by Tyree » Mon Jan 04, 2010 8:49 am

I've been using Cerberus to connect to my home computer for a long time. I've been using port 21 all that time.

My friend and I are playing around with setting up a web server and so I need port 21 to be directed to that machine now. So, my desktop computer needs to start using a different port.

So, I changed the port forwarding in my router, the listening port in cerberus and made sure that port 22 was open in my PC firewall.

I updated the connection settings in my ftp client to port 22 and clicked connect. The initial connection happens, but then it stops at the LIST command, then my client gives the error:
Server can't open data connection.

The Cerberus log says:

Code: Select all


[2010-01-04 08:38:37]:CONNECT [     9] - Incoming connection request on interface xxx.xxx.xxx.xxx
[2010-01-04 08:38:37]:CONNECT [ 9] - Connection request accepted from xxx.xxx.xxx.xxx
[2010-01-04 08:38:37]:COMMAND [ 9] - USER username
[2010-01-04 08:38:37]: REPLY [ 9] - 331 User username, password please

[2010-01-04 08:38:37]:COMMAND [ 9] - PASS ***********
[2010-01-04 08:38:37]: REPLY [ 9] - 230 Password Ok, User logged in

[2010-01-04 08:38:37]:COMMAND [ 9] - PWD
[2010-01-04 08:38:37]: REPLY [ 9] - 257 "/" is the current directory

[2010-01-04 08:38:37]:COMMAND [ 9] - FEAT
[2010-01-04 08:38:37]: REPLY [ 9] - 211- Additional features supported include:
MDTM
MFCT
MFMT
SIZE
REST STREAM
AUTH TLS
AUTH SSL
PBSZ
EPRT
EPSV
XCRC
XSHA1
XSHA256
XSHA512
XMD5
PROT
LANG EN*
SITE CHMOD
SITE PSWD
SITE ZONE
MLST Type*;Size*;Modify*;Create*;
CLNT
CSID
RMDA
UTF8
211 End

[2010-01-04 08:38:37]:COMMAND [ 9] - REST 0
[2010-01-04 08:38:37]: REPLY [ 9] - 350 Restarting at byte offset 0. Send STOR or RETR to initiate transfer

[2010-01-04 08:38:37]:COMMAND [ 9] - PORT 10,0,0,18,206,23
[2010-01-04 08:38:37]: REPLY [ 9] - 200 Port command received

[2010-01-04 08:38:37]:COMMAND [ 9] - LIST
[2010-01-04 08:38:58]: ERROR [ 9] - Unable to connect : The operation completed successfully.

[2010-01-04 08:38:58]:SUGGEST [ 9] - For help see http://www.cerberusftp.com/faq/initialsetup.htm#Q3
[2010-01-04 08:38:58]: REPLY [ 9] - 425 Unable to open the data connection

[2010-01-04 08:40:19]:CONNECT [ 9] - Connection timed out. Shutting down connection...
[2010-01-04 08:40:19]:CONNECT [ 9] - Connection Terminated
??? What was successful?

Can anyone shed some light on what may be going on here?

mdj
Moderator
Posts: 656
Joined: Mon Aug 18, 2003 4:00 am
Location: Denmark
Contact:

Re: Switching to port 22...can't get past LIST command

Post by mdj » Mon Jan 04, 2010 1:09 pm

[2010-01-04 08:38:37]:COMMAND [ 9] - PORT 10,0,0,18,206,23

This means that the client wants the server to connect to it on 10.0.0.18:52759 (active FTP), but that ip is perhaps a LAN ip on the client side that doesn't make any sense for the server? I guess the client and the server are not located at the same place.
Morten Due Jørgensen
http://www.mdjnet.dk

Tyree
User
Posts: 15
Joined: Tue Nov 17, 2009 3:18 pm

Re: Switching to port 22...can't get past LIST command

Post by Tyree » Mon Jan 04, 2010 2:24 pm

mdj wrote:This means that the client wants the server to connect to it on 10.0.0.18:52759 (active FTP), but that ip is perhaps a LAN ip on the client side that doesn't make any sense for the server? I guess the client and the server are not located at the same place.
I don't know. I can switch the server back to 21 and the client to 21 and change nothing else and it works fine. Not sure why the client IP 10.0.0.18 would have any effect. It works fine on port 21, why not 22? Doesn't make sense to me. Is there some place I need to change to 22 that I'm missing?

It's connecting...so I know the router portion is forwarding correctly. Wouldn't think it's the firewall either since, I would think, the firewall would block the connection all together. Seems to come down to cerberus itself.

Any ideas?

mdj
Moderator
Posts: 656
Joined: Mon Aug 18, 2003 4:00 am
Location: Denmark
Contact:

Re: Switching to port 22...can't get past LIST command

Post by mdj » Tue Jan 05, 2010 2:47 am

It could perhaps be an "intelligent" router somewhere? Some routers/firewalls know FTP, and when they see it, they automatically allow the ports selected for active ftp (at the client's end) or passive ftp (at the server's end) to be forwarded, but when it is carried by port 22, the router doesn't recognize it.

I still don't quite understand the ip addresses of your setup, and the routers involved. Have you manually configured port forwarding for the router/firewall at the client's end?
Morten Due Jørgensen
http://www.mdjnet.dk

Tyree
User
Posts: 15
Joined: Tue Nov 17, 2009 3:18 pm

Re: Switching to port 22...can't get past LIST command

Post by Tyree » Tue Jan 05, 2010 7:37 am

OKay, here's the explanantion of the environments:
The server is at my home behind a basic Linksys router/firewall. The server has a static IP of 192.168.1.100. The router is forwarding port 22 to that IP address.
The client is at my office and is behind a Windows 2003 server. The client also has a static IP assigned to it, 10.0.0.18. The only port forwarding I have done on the Windows Server is port 21 to an office ftp server. There are no outgoing restrictions on ftp that I know of.

If it were a router problem, would it not just block the connection altogether? Why am I able to connect to the ftp server, but not do the LIST command? That's what confuses me. If I could just not get a connection at all, that would make more sense. But, this half-connection is harder to troubleshoot.

mdj
Moderator
Posts: 656
Joined: Mon Aug 18, 2003 4:00 am
Location: Denmark
Contact:

Re: Switching to port 22...can't get past LIST command

Post by mdj » Tue Jan 05, 2010 8:47 am

The reason for this "half-connect" is quite simple. Several connections are used in FTP, and not just port 21 needs to be open/forwarded. (See http://www.mdjnet.dk/ftp.html.) The LIST requires a seperate data connection.

If this is the setup, then I don't understand that it works at all for port 21! According to the log, the FTP server is asked to connect to 10.0.0.18, but that ip does NOT make sense in your client's 192.168-environment. Could you post a log that shows that it is working?
Morten Due Jørgensen
http://www.mdjnet.dk

Tyree
User
Posts: 15
Joined: Tue Nov 17, 2009 3:18 pm

Re: Switching to port 22...can't get past LIST command

Post by Tyree » Tue Jan 05, 2010 9:15 am

I think you may be on to something there...Here's a log from a connection on port 21 from the SAME client:

Code: Select all

[2010-01-04 08:31:19]:CONNECT [     7] - Incoming connection request on interface 192.168.1.100
[2010-01-04 08:31:19]:CONNECT [ 7] - Connection request accepted from 206.248.235.186
[2010-01-04 08:31:19]:COMMAND [ 7] - USER username
[2010-01-04 08:31:19]: REPLY [ 7] - 331 User username, password please

[2010-01-04 08:31:19]:COMMAND [ 7] - PASS ***********
[2010-01-04 08:31:19]: REPLY [ 7] - 230 Password Ok, User logged in

[2010-01-04 08:31:19]:COMMAND [ 7] - PWD
[2010-01-04 08:31:19]: REPLY [ 7] - 257 "/" is the current directory

[2010-01-04 08:31:20]:COMMAND [ 7] - REST 0
[2010-01-04 08:31:20]: REPLY [ 7] - 350 Restarting at byte offset 0. Send STOR or RETR to initiate transfer

[2010-01-04 08:31:20]:COMMAND [ 7] - PORT 206,248,235,186,32,167
[2010-01-04 08:31:20]: REPLY [ 7] - 200 Port command received

[2010-01-04 08:31:20]:COMMAND [ 7] - LIST
[2010-01-04 08:31:20]: REPLY [ 7] - 150 Opening data connection

[2010-01-04 08:31:20]: REPLY [ 7] - 226 Transfer complete

[2010-01-04 08:31:53]:COMMAND [ 7] - TYPE A
[2010-01-04 08:31:53]: REPLY [ 7] - 200 Type ASCII

[2010-01-04 08:32:07]: SYSTEM [ 7] - The client closed the connection
[2010-01-04 08:32:07]:CONNECT [ 7] - Connection Terminated
And here's one trying to connect on port 22:

Code: Select all

[2010-01-05 07:41:21]:CONNECT [    21] - Incoming connection request on interface 192.168.1.100
[2010-01-05 07:41:21]:CONNECT [ 21] - Connection request accepted from 206.248.235.186
[2010-01-05 07:41:21]:COMMAND [ 21] - USER username
[2010-01-05 07:41:21]: REPLY [ 21] - 331 User username, password please

[2010-01-05 07:41:22]:COMMAND [ 21] - PASS ***********
[2010-01-05 07:41:22]: REPLY [ 21] - 230 Password Ok, User logged in

[2010-01-05 07:41:22]:COMMAND [ 21] - PWD
[2010-01-05 07:41:22]: REPLY [ 21] - 257 "/" is the current directory

[2010-01-05 07:41:22]:COMMAND [ 21] - REST 0
[2010-01-05 07:41:22]: REPLY [ 21] - 350 Restarting at byte offset 0. Send STOR or RETR to initiate transfer

[2010-01-05 07:41:22]:COMMAND [ 21] - PORT 10,0,0,18,213,144
[2010-01-05 07:41:22]: REPLY [ 21] - 200 Port command received

[2010-01-05 07:41:22]:COMMAND [ 21] - LIST
[2010-01-05 07:41:43]: ERROR [ 21] - Unable to connect : The operation completed successfully.

[2010-01-05 07:41:43]:SUGGEST [ 21] - For help see http://www.cerberusftp.com/faq/initialsetup.htm#Q3
[2010-01-05 07:41:43]: REPLY [ 21] - 425 Unable to open the data connection

[2010-01-05 07:41:55]: SYSTEM [ 21] - The client closed the connection
[2010-01-05 07:41:55]:CONNECT [ 21] - Connection Terminated
For some reason the port command changes from the external IP (206.248.235.186) in the port 21 connection to the client's internal IP (10.0.0.18) in the port 22.
Does that help to make any more sense of the problem?

More data to work with...
Here's connection logs from the same computer that is running the server connection on port 22 and then 21.

Port 22:

Code: Select all

[2010-01-05 09:07:15]:CONNECT [    30] - Incoming connection request on interface 192.168.1.100
[2010-01-05 09:07:15]:CONNECT [ 30] - Connection request accepted from 192.168.1.1
[2010-01-05 09:07:15]:COMMAND [ 30] - USER username
[2010-01-05 09:07:15]: REPLY [ 30] - 331 User username, password please

[2010-01-05 09:07:15]:COMMAND [ 30] - PASS ***********
[2010-01-05 09:07:15]: REPLY [ 30] - 230 Password Ok, User logged in

[2010-01-05 09:07:16]:COMMAND [ 30] - PWD
[2010-01-05 09:07:16]: REPLY [ 30] - 257 "/" is the current directory

[2010-01-05 09:07:16]:COMMAND [ 30] - REST 0
[2010-01-05 09:07:16]: REPLY [ 30] - 350 Restarting at byte offset 0. Send STOR or RETR to initiate transfer

[2010-01-05 09:07:16]:COMMAND [ 30] - PORT 192,168,1,100,246,250
[2010-01-05 09:07:16]: REPLY [ 30] - 200 Port command received

[2010-01-05 09:07:16]:COMMAND [ 30] - LIST
[2010-01-05 09:07:16]: REPLY [ 30] - 150 Opening data connection

[2010-01-05 09:07:16]: REPLY [ 30] - 226 Transfer complete
And 21:

Code: Select all

[2010-01-05 09:08:34]:CONNECT [    31] - Incoming connection request on interface 192.168.1.100
[2010-01-05 09:08:34]:CONNECT [ 31] - Connection request accepted from 192.168.1.1
[2010-01-05 09:08:34]:COMMAND [ 31] - USER username
[2010-01-05 09:08:34]: REPLY [ 31] - 331 User username, password please

[2010-01-05 09:08:34]:COMMAND [ 31] - PASS ***********
[2010-01-05 09:08:34]: REPLY [ 31] - 230 Password Ok, User logged in

[2010-01-05 09:08:34]:COMMAND [ 31] - PWD
[2010-01-05 09:08:34]: REPLY [ 31] - 257 "/" is the current directory

[2010-01-05 09:08:34]:COMMAND [ 31] - REST 0
[2010-01-05 09:08:34]: REPLY [ 31] - 350 Restarting at byte offset 0. Send STOR or RETR to initiate transfer

[2010-01-05 09:08:34]:COMMAND [ 31] - PORT 192,168,1,1,248,120
[2010-01-05 09:08:34]: REPLY [ 31] - 200 Port command received

[2010-01-05 09:08:34]:COMMAND [ 31] - LIST
[2010-01-05 09:08:34]: REPLY [ 31] - 150 Opening data connection

[2010-01-05 09:08:34]: REPLY [ 31] - 226 Transfer complete

[2010-01-05 09:09:05]:COMMAND [ 31] - PORT 192,168,1,1,248,236
[2010-01-05 09:09:05]: REPLY [ 31] - 200 Port command received

[2010-01-05 09:09:05]:COMMAND [ 31] - LIST
[2010-01-05 09:09:05]: REPLY [ 31] - 150 Opening data connection

[2010-01-05 09:09:05]: REPLY [ 31] - 226 Transfer complete
While from the same computer it does connect successfully, I am getting the same sort of change in the port commands. Port 22 uses the internal local IP (192.168.1.100), while port 21 uses the gateway's IP (192.168.1.1).

Any idea why this change happens?

Thanks for your help!!!

mdj
Moderator
Posts: 656
Joined: Mon Aug 18, 2003 4:00 am
Location: Denmark
Contact:

Re: Switching to port 22...can't get past LIST command

Post by mdj » Tue Jan 05, 2010 11:54 am

Now I am pretty sure, that this is due to the router at the client's end. If connecting to FTP on port 21, the router is intelligent and knows that it must replace the internal ip 10.0.0.18 with the external ip of the router within the PORT command. If port 22 is used, it doesn't recognize it as FTP traffic, and then it doesn't do the replacement.

Instead, you should use passive ftp from the client - if it is capable of doing so, but most clients are. What client are you using? This will of course require the passive port range to be forwarded on the server's router - and it will require the server to be configured accordingly. The FAQ has info on this: http://www.cerberusftp.com/faq/initialsetup.htm#Q2.
Morten Due Jørgensen
http://www.mdjnet.dk

Tyree
User
Posts: 15
Joined: Tue Nov 17, 2009 3:18 pm

Re: Switching to port 22...can't get past LIST command

Post by Tyree » Tue Jan 05, 2010 6:45 pm

Hmmmm...sounds like two ftp servers in one location is quite a trick to pull off. I had no idea it was that much trouble to switch a port. Is it impossible to disable this intelligent forwarding?

Would this also explain the similar behavior when the server PC attempts to connect to itself? I'm dealing with a Windows server at one location and a linksys router at the other. Do both of them have the intelligent fowarding?

I typically use cuteFTP as my client....but I also have some backup programs that use the ftp. Not sure if I can set those to passive or not. I also sometimes use Internet Explorer if I'm on a computer with no ftp client. Is that capable of doing passive?

Thanks!

mdj
Moderator
Posts: 656
Joined: Mon Aug 18, 2003 4:00 am
Location: Denmark
Contact:

Re: Switching to port 22...can't get past LIST command

Post by mdj » Wed Jan 06, 2010 2:52 am

Wether it is possible do tweak intelligence in the router must depend on the router - but I doubt it very much. Somehow, low-end routers never have all the knobs and tweaks an advanced user needs...

Windows server probably does not do anything intelligent (ever! :-) ). So it is the linksys router at the client's site, that is messing things up - actually , it is intelligent, yes, but not intelligent enough. You don't want to disable intelligence, rather activate it for a different port as well. That is why passive FTP was invented, to overcome all the non-intelligent routers.

I am pretty sure cuteFTP can do passive an also IE (Tools / Internet Options / Advanced / half way through the list of options), don't know about the backup programs, and command line ftp in Windows can't for sure.
Morten Due Jørgensen
http://www.mdjnet.dk

Tyree
User
Posts: 15
Joined: Tue Nov 17, 2009 3:18 pm

Re: Switching to port 22...can't get past LIST command

Post by Tyree » Wed Jan 06, 2010 8:59 am

Yeah, it's all those "can't" situations that bother me. I hate having to jump through a bunch of hoops and change default settings. Just makes it hard when trying to connect from clients that I don't have control over. For example, at a library or something.

All this time I thought the port was optional! :-D
I knew there was a default port for ftp, but I didn't know it was so hard-wired!

Actually, in this situation, it seems to be no matter if it's the client with Windows Server, or a client within the same network under the Linksys router. Both give a different port command with a different IP depending on if I use port 21 or 22. So, both the Windows Server and the Linksys router do the same thing. Intelligence...meh! :-D

Thanks again!

Tyree
User
Posts: 15
Joined: Tue Nov 17, 2009 3:18 pm

Re: Switching to port 22...can't get past LIST command

Post by Tyree » Thu Jan 07, 2010 8:03 am

I set up PASV ftp on the server and client, forwarded the PASV port range, etc. Everything works great on port 22 now. THANKS!

Even my backup software works! WOO!

Post Reply