FTP active mode on LAN

[j7n]

Both of my computers are in (different) Local Area Networks. I am using FTP to transfer data between them. However, I cannot use active mode, because Total Commander v6.53 sends my local address in PORT command to the server. I have access to both routers and forward the ports.

hostname=159.***.***.***:****
username=j7n
startdir=
220 Studio Comp
USER j7n
331 Password required for j7n.
PASS ***********
230 User j7n logged in.
SYST
215 UNIX Type: L8
FEAT
211-Extensions supported:
CLNT
MDTM
PASV
REST STREAM
SIZE
211 End.
Connect ok!
PWD
257 "/" is current directory.
Get directory
TYPE A
200 Type set to A.
PORT 192,168,1,16,19,138
200 Port command successful.
LIST
150 Opening data connection for directory list.
Download
<hangs there of course>

How do I tell Total Commander the correct external IP address to send in PORT command?

[ghisler(Author)]

To make server to server transfers, one must use port mode and one passive mode, otherwise the two couldn't make contact! If this is possible, you can switch sides (left+right panels) if the connection doesn't work, because TC always sents PORT to one panel and PASV to the other in server to server mode.

[Hacker]

j7n,
That's the task of the local router - it should translate your private IP address to your external IP address. There is no way to set your IP to something else in TC AFAIK.

Christian,
This is not about FXP.

HTH
Roman

[j7n]

Yes, this is not about FXP. I have BulletProof server and TC as client on both machines. To clear the confusion, let's say I want to connect to an FTP outside my LAN using active mode.

Do you mean that the router should intercept the data flowing through it and look for FTP-specific content? In other applications like peer-2-peer one must tell the external address to the client and the router then routes any reply to one of the local computers.

[Sheepdog]

If you are in a local network (with private IP adresses like 192.168.1.1) and want connect to an IP outside of this local net the router has to support NAT (network address translation).

That means that the router saves for each connection the private address of the computer and the remote IP-Address. When a packet is send from your local PC the router changes the address to it's own address before forwarding the packet to the remote Server. When a packet is sent back it has as target address that one of the router. Now the router has to lookup to which connection the packet belongs and then replace the target address by the private IP-Address used in the LAN.

sheepdog

[Hacker]

j7n,

Do you mean that the router should intercept the data flowing through it and look for FTP-specific content?

Exactly.

In other applications like peer-2-peer one must tell the external address to the client

Yes, routers are not aware of P2P protocols (mostly).

Why do you not use passive mode?

Sheepdog,
NAT obviously works in this case, as j7n could connect to the remote server. However, NAT is responsible for translations of the IP addresses in the IP packet header, so it is not relevant here. At least I think the function to translate the content of the packet isn't called NAT (I think Christian mentioned "stateful packet inspection" a few times).

[EDIT: OK, I just googled a bit, and it looks like some NAT devices are smart and translate the address required for FTP, and some do not.]

Roman

[j7n]

Thank you Hacker for the tip about passive mode. For some reason I incorrectly assumed that if the client can't accept connections, the server won't either. It's working now in passive mode.

I have Linksys BEFSR41 routers and they apparently know nothing about FTP or perhaps look only port 21 traffic.

[Hacker]

j7n,
You're welcome.

Roman

[tmcdos]

If you are using IPTABLES on your router, then you can change the following in your /etc/rc.d/init.d/iptables file:

#Default firewall configuration
IPTABLES_MODULES = ""

change the above to be

IPTABLES_MODULES = "ip_conntrack_ftp ip_nat_ftp"

and everything should be OK.

This works on Fedora Core 2 and IPTABLES 1.2.9 just fine.