1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato FTP change WAN port and allowing all IP addresses

Discussion in 'Tomato Firmware' started by Solace50, Jan 8, 2018.

  1. Solace50

    Solace50 Connected Client Member

    Two things trying to be achieved,

    Firstly WAN ftp access on a different port aside from 21, it appears if changed to something else than 21 then the directories are not listed despite a login is attempted. Port 21 seems to work fine, I guess I could edit the iptables for this?

    Second is for allowing any IP, ive tried 0.0.0.0/0 which removes the /0. I'm fully aware of what this does and I will be having multiple dynamic ip's for a short duration and nothing crucial is on the device/network. Is the syntax different for allowing any with vsftpd? I checked the iptables for this as well and tried to manually apply the change and reload the firewall but it just corrects the entry and appears to not work.
     
  2. Sean B.

    Sean B. LI Guru Member

    Unable to reproduce your port issue. In the web interface under USB and NAS->FTP Server, setting "Enable FTP Server" to "Yes, WAN and LAN", and "FTP Port" to 2222 I was able to connect via remote client ( cell phone ) to my WAN IP on port 2222 and list the directory of the user. Note that there are directory options depending on what form of authentication is used. As for allowing any remote IP, simply leave the "Allowed remote address(es)" box empty.
     
  3. Solace50

    Solace50 Connected Client Member

    Hmm, never knew that unless an address is defined that tomato allows all, I could have sworn I left it empty initially and was unable to connect. At the moment I just use a DNS to allow access. I guess it could be nvram specific issue despite it was cleared or a conflicting configuration/port in use though the router showed nothing else bound to the port. Could i just ask what build you are currently on yourself? Ill try with a fresh install and see if something specific is causing it.

    Mine would be this for the ea6900
    1.28.0000 -2017.3b13-kille72- K26ARM USB AIO-64K
     
  4. Solace50

    Solace50 Connected Client Member

    Clearing the IP addresses appears to have worked for the access, will fiddle with the port setting and see if it continues as well.
     
  5. Solace50

    Solace50 Connected Client Member

    It appears I can establish a connection on other ports, though when reading the directory of the FTP a timeout still occurs.

    Timeout detected. (control connection)
    Could not retrieve directory listing
    Error listing directory '/'.

    The path should be /tmp/mnt/media/ being retrieved though for the specified user path, default paths should be the same as well regardless of auth type.
     
  6. Solace50

    Solace50 Connected Client Member

    Ah nvm, it has to do with the client and using different ports/windows defender firewall, I just realized there was a rule in place blocking the request on the affected machines. Thanks though.

    Edit: I lied it still occurs, I tried from my android device with andftp of which can also connect. In active mode I get a 500 illegal port error, in passive mode it connects but fails to list the directory. The last output message in andftp is Replacing 192.168.1.1 with the WAN IP address of the ftp

    Seems fairly accurate to the situation,
    https://support.microsoft.com/en-us/help/281193/ftp-error-500-invalid-port-command
     
    Last edited: Jan 9, 2018
  7. Sean B.

    Sean B. LI Guru Member

  8. Sean B.

    Sean B. LI Guru Member

    Are you trying to access ftp via your WAN IP with a device that is connected to your LAN?
     
  9. Solace50

    Solace50 Connected Client Member

    all tests were done externally, either through cell or vpn on another laptop or even rdp, I confused myself thinking it was working since I did the connection without the vpn being active once. The hostname will resolve to the lan ip since im using a DNS and not the direct ip (which was used after to avoid the confusion). Ill play around with it come the next update as I cant think of anything else to check myself at the moment.
     
    Last edited: Jan 16, 2018
  10. Solace50

    Solace50 Connected Client Member

    If anyone else tries the same thing, its the bug of using an external port aside from 21 is exclusive to 1.28.0000 -2017.3b13-kille72- K26ARM USB AIO-64K, any other build of tomato seems unaffected and there is no newer builds to test to see if the issue was remediated.
    2017.2 is unaffected from my testing. I cant see to find a changelog between the two builds else I would try to poke around a bit more.
     
  11. Sean B.

    Sean B. LI Guru Member

  12. kille72

    kille72 LI Guru Member

    Nothing I knew, but that's right! Works on port 21 but not another port from outside.
     
    Sean B. likes this.
  13. PetervdM

    PetervdM Network Guru Member

    i can't confirm the issue.
    i'm on kille72 2017.3 with a ftpserver i configured a long time ago. using andftp on my phone i can connect as well locally with a private ip address as well remotely by a public address, in both cases using a fqdn and port 21021.
    i also can connect over openvpn either using a fqdn or the private ip address.
     
  14. Solace50

    Solace50 Connected Client Member

    fqdn is a domain being resolved, that would likely resolve to the private address unless tunneling to a vpn.
     
  15. PetervdM

    PetervdM Network Guru Member

    yes, the ftp server address is resolved by dnsmasq to a private local address when using the lan, and the ftp server is resolved global with a public address by any dns server when resolved from the wan. the vpn is configured using the dnsmasq dns server when the tunnel is up.
    so i can always use the fqdn when using the ftp server. i checked the vsftpd log files and they are using the right ip addresses.
     
  16. kille72

    kille72 LI Guru Member

    Changelog:
    https://bitbucket.org/kille72/tomato-arm-kille72/commits/tag/v2017.3

    I have the same problem with 2017.3, are you 100% sure that it works with version 2017.2?
     
  17. Solace50

    Solace50 Connected Client Member

    its working 100%, tested vanilla and with an imported config
     
  18. Sean B.

    Sean B. LI Guru Member

    Are you still running the affected version? If so, with FTP enabled on a port other than 21, could you run these commands separately:

    Code:
    cat /etc/vsftpd.conf
    iptables -t filter --list-rules
    iptables -t nat --list-rules
    netstat -an
    and post the output please? Feel free to X out parts of your public IP if you don't want it showing.
     
  19. kille72

    kille72 LI Guru Member

    Version 2018.1.016

    Code:
    # cat /etc/vsftpd.conf
    anonymous_enable=no
    dirmessage_enable=yes
    download_enable=no
    dirlist_enable=no
    hide_ids=yes
    syslog_enable=yes
    local_enable=yes
    local_umask=022
    chmod_enable=no
    chroot_local_user=yes
    check_shell=no
    log_ftp_protocol=no
    user_config_dir=/etc/vsftpd.users
    passwd_file=/etc/vsftpd.passwd
    listen=yes
    listen_ipv6=no
    listen_port=2121
    background=yes
    isolate=no
    max_clients=0
    max_per_ip=0
    max_login_fails=1
    idle_session_timeout=300
    use_sendfile=no
    anon_max_rate=0
    local_max_rate=0
    Code:
    # iptables -t filter --list-rules
    -P INPUT DROP
    -P FORWARD DROP
    -P OUTPUT ACCEPT
    -N shlimit
    -N wanin
    -N wanout
    -A INPUT -i tap21 -j ACCEPT
    -A INPUT -p udp -m udp --dport 1194 -j ACCEPT
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j shlimit
    -A INPUT -p tcp -m tcp --dport 23 -m state --state NEW -j shlimit
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i br0 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 2121 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 51515 -j ACCEPT
    -A FORWARD -i tap21 -j ACCEPT
    -A FORWARD -m account--aaddr 192.168.1.0/255.255.255.0 --aname lan
    -A FORWARD -i br0 -o br0 -j ACCEPT
    -A FORWARD -m state --state INVALID -j DROP
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i vlan2 -j wanin
    -A FORWARD -o vlan2 -j wanout
    -A FORWARD -i br0 -j ACCEPT
    -A shlimit -m recent --set --name shlimit --rsource
    -A shlimit -m recent --update --seconds 60 --hitcount 3 --name shlimit --rsource -j DROP
    -A wanin -d 192.168.1.101/32 -p tcp -m tcp --dport 50101 -j ACCEPT
    -A wanin -d 192.168.1.101/32 -p udp -m udp --dport 50101 -j ACCEPT
    Code:
    # iptables -t nat --list-rules
    -P PREROUTING ACCEPT
    -P INPUT ACCEPT
    -P OUTPUT ACCEPT
    -P POSTROUTING ACCEPT
    -N WANPREROUTING
    -A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
    -A PREROUTING -d xx.217.9.xx/32 -j WANPREROUTING
    -A POSTROUTING -o vlan2 -j MASQUERADE
    -A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j SNAT --to-source 192.168.1.1
    -A WANPREROUTING -p icmp -j DNAT --to-destination 192.168.1.1
    -A WANPREROUTING -p tcp -m tcp --dport 50101 -j DNAT --to-destination 192.168.1.101
    -A WANPREROUTING -p udp -m udp --dport 50101 -j DNAT --to-destination 192.168.1.101
    -A WANPREROUTING -p tcp -m tcp --dport 2121 -j DNAT --to-destination 192.168.1.1
    Code:
    # netstat -an
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State
    tcp        0      0 0.0.0.0:9091            0.0.0.0:*               LISTEN
    tcp        0      0 127.0.0.1:40            0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:2121            0.0.0.0:*               LISTEN
    tcp        0      0 192.168.1.1:139         0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
    tcp        0      0 0.0.0.0:51515           0.0.0.0:*               LISTEN
    tcp        0      0 192.168.1.1:443         0.0.0.0:*               LISTEN
    tcp        0      0 192.168.1.1:445         0.0.0.0:*               LISTEN
    tcp        0     64 192.168.1.1:22          192.168.1.101:63665     ESTABLISHED
    tcp        0      0 192.168.1.1:445         192.168.1.101:59270     ESTABLISHED
    tcp        0      0 :::53                   :::*                    LISTEN
    tcp        0      0 :::22                   :::*                    LISTEN
    tcp        0      0 :::23                   :::*                    LISTEN
    tcp        0      0 :::51515                :::*                    LISTEN
    udp        0      0 xx.217.9.xx:6153        xx.217.9.xx:5351         ESTABLISHED
    udp        0      0 0.0.0.0:42000           0.0.0.0:*
    udp        0      0 127.0.0.1:40            0.0.0.0:*
    udp        0      0 xx.217.9.xx:52266       xx.217.9.xx:5351         ESTABLISHED
    udp        0      0 0.0.0.0:53              0.0.0.0:*
    udp        0      0 0.0.0.0:51515           0.0.0.0:*
    udp        0      0 0.0.0.0:67              0.0.0.0:*
    udp        0      0 0.0.0.0:38000           0.0.0.0:*
    udp        0      0 192.168.1.255:137       0.0.0.0:*
    udp        0      0 192.168.1.1:137         0.0.0.0:*
    udp        0      0 0.0.0.0:137             0.0.0.0:*
    udp        0      0 192.168.1.255:138       0.0.0.0:*
    udp        0      0 192.168.1.1:138         0.0.0.0:*
    udp        0      0 0.0.0.0:138             0.0.0.0:*
    udp        0      0 127.0.0.1:38032         0.0.0.0:*
    udp        0      0 0.0.0.0:36078           0.0.0.0:*
    udp        0      0 0.0.0.0:43000           0.0.0.0:*
    udp        0      0 :::53                   :::*
    udp        0      0 :::1194                 :::*
    raw        0      0 0.0.0.0:255             0.0.0.0:*               7
    Active UNIX domain sockets (servers and established)
    Proto RefCnt Flags       Type       State         I-Node Path
    unix  10     [ ]         DGRAM                    293    /dev/log
    unix  2      [ ACC ]     STREAM     LISTENING     1148   /var/nmbd/unexpected
    unix  3      [ ]         STREAM     CONNECTED     4241
    unix  3      [ ]         STREAM     CONNECTED     4240
    unix  3      [ ]         STREAM     CONNECTED     4238
    unix  3      [ ]         STREAM     CONNECTED     4237
    unix  3      [ ]         STREAM     CONNECTED     3879
    unix  3      [ ]         STREAM     CONNECTED     3878
    unix  3      [ ]         STREAM     CONNECTED     3876
    unix  3      [ ]         STREAM     CONNECTED     3875
    unix  2      [ ]         DGRAM                    3653
    unix  3      [ ]         STREAM     CONNECTED     3312
    unix  3      [ ]         STREAM     CONNECTED     3311
    unix  2      [ ]         DGRAM                    3310
    unix  2      [ ]         DGRAM                    3295
    unix  2      [ ]         DGRAM                    3018
    unix  2      [ ]         DGRAM                    2194
    unix  2      [ ]         DGRAM                    971
    unix  2      [ ]         DGRAM                    765
    unix  2      [ ]         DGRAM                    295
     
  20. Sean B.

    Sean B. LI Guru Member

    Did you add a user? If not, add one, login as that user and try listing the directory.

    Default config:

    This appears to be the case even when " Directory listings " is enabled in the GUI.

    When user " test " is added, it creates an entry in /etc/vsftpd.users

    Code:
    root@Storage:/tmp/etc/vsftpd.users# ls
    test
    root@Storage:/tmp/etc/vsftpd.users# cat test
    dirlist_enable=yes
    download_enable=yes
    write_enable=yes
    root@Storage:/tmp/etc/vsftpd.users#
    
    Note the:
    dirlist_enable=yes
     
  21. kille72

    kille72 LI Guru Member

    I do not understand it, why does it work on port 21?

    Code:
    # cat /etc/vsftpd.conf
    anonymous_enable=no
    dirmessage_enable=yes
    download_enable=no
    dirlist_enable=no
    hide_ids=yes
    syslog_enable=yes
    local_enable=yes
    local_umask=022
    chmod_enable=no
    chroot_local_user=yes
    check_shell=no
    log_ftp_protocol=no
    user_config_dir=/etc/vsftpd.users
    passwd_file=/etc/vsftpd.passwd
    listen=yes
    listen_ipv6=no
    listen_port=21
    background=yes
    isolate=no
    max_clients=0
    max_per_ip=0
    max_login_fails=1
    idle_session_timeout=300
    use_sendfile=no
    anon_max_rate=0
    local_max_rate=0
     
    Last edited: Feb 3, 2018
  22. Sean B.

    Sean B. LI Guru Member

    What are you using for a login?
     
  23. Sean B.

    Sean B. LI Guru Member

    Nevermind, that idea is only valid when port forwarded.
     
  24. kille72

    kille72 LI Guru Member

    It does not work with version 2017.2 and port 2121 either, port 21 works!

    Code:
    root@Asus:/tmp/etc/vsftpd.users# ls
    test
    root@Asus:/tmp/etc/vsftpd.users# cat test
    dirlist_enable=yes
    download_enable=yes
    write_enable=yes
     
  25. kille72

    kille72 LI Guru Member

    Same problem with:
    iptables -t filter -I INPUT 1 -s WAN.IP.OF.CLIENT -j ACCEPT
     
  26. kille72

    kille72 LI Guru Member

    Port 2121:
    Code:
    Feb  3 18:11:39 Asus ftp.info vsftpd[3080]: [test] OK LOGIN: Client "xx.185.85.xx"
    Feb  3 18:11:39 Asus ftp.info vsftpd[3082]: [test] FTP response: Client "xx.185.85.xx", "230 Login successful."
    Feb  3 18:11:39 Asus ftp.info vsftpd[3082]: [test] FTP command: Client "xx.185.85.xx", "OPTS UTF8 ON"
    Feb  3 18:11:39 Asus ftp.info vsftpd[3082]: [test] FTP response: Client "xx.185.85.xx", "200 Always in UTF8 mode."
    Feb  3 18:11:39 Asus ftp.info vsftpd[3082]: [test] FTP command: Client "xx.185.85.xx", "TYPE I"
    Feb  3 18:11:39 Asus ftp.info vsftpd[3082]: [test] FTP response: Client "xx.185.85.xx", "200 Switching to Binary mode."
    Feb  3 18:11:41 Asus ftp.info vsftpd[3105]: [test] OK LOGIN: Client "xx.185.85.xx"
    Feb  3 18:11:41 Asus ftp.info vsftpd[3107]: [test] FTP response: Client "xx.185.85.xx", "230 Login successful."
    Feb  3 18:11:41 Asus ftp.info vsftpd[3107]: [test] FTP command: Client "xx.185.85.xx", "OPTS UTF8 ON"
    Feb  3 18:11:41 Asus ftp.info vsftpd[3107]: [test] FTP response: Client "xx.185.85.xx", "200 Always in UTF8 mode."
    Feb  3 18:11:41 Asus ftp.info vsftpd[3107]: [test] FTP command: Client "xx.185.85.xx", "TYPE I"
    Feb  3 18:11:41 Asus ftp.info vsftpd[3107]: [test] FTP response: Client "xx.185.85.xx", "200 Switching to Binary mode."
    Feb  3 18:11:41 Asus ftp.info vsftpd[3107]: [test] FTP command: Client "xx.185.85.xx", "PWD"
    Feb  3 18:11:41 Asus ftp.info vsftpd[3107]: [test] FTP response: Client "xx.185.85.xx", "257 "/" is the current directory"
    Feb  3 18:11:41 Asus ftp.info vsftpd[3107]: [test] FTP command: Client "xx.185.85.xx", "NOOP"
    Feb  3 18:11:41 Asus ftp.info vsftpd[3107]: [test] FTP response: Client "xx.185.85.xx", "200 NOOP ok."
    Feb  3 18:11:41 Asus ftp.info vsftpd[3107]: [test] FTP command: Client "xx.185.85.xx", "NOOP"
    Feb  3 18:11:41 Asus ftp.info vsftpd[3107]: [test] FTP response: Client "xx.185.85.xx", "200 NOOP ok."
    Feb  3 18:11:41 Asus ftp.info vsftpd[3107]: [test] FTP command: Client "xx.185.85.xx", "CWD /"
    Feb  3 18:11:41 Asus ftp.info vsftpd[3107]: [test] FTP response: Client "xx.185.85.xx", "250 Directory successfully changed."
    Feb  3 18:11:41 Asus ftp.info vsftpd[3107]: [test] FTP command: Client "xx.185.85.xx", "SYST"
    Feb  3 18:11:41 Asus ftp.info vsftpd[3107]: [test] FTP response: Client "xx.185.85.xx", "215 UNIX Type: L8"
    Feb  3 18:11:41 Asus ftp.info vsftpd[3107]: [test] FTP command: Client "xx.185.85.xx", "PASV"
    Feb  3 18:11:41 Asus ftp.info vsftpd[3107]: [test] FTP response: Client "xx.185.85.xx", "227 Entering Passive Mode (192,168,1,1,122,5)."
    Feb  3 18:11:54 Asus ftp.info vsftpd[3107]: [test] FTP command: Client "xx.185.85.xx", "NOOP"
    Feb  3 18:11:54 Asus ftp.info vsftpd[3107]: [test] FTP response: Client "xx.185.85.xx", "200 NOOP ok."
    Feb  3 18:11:54 Asus ftp.info vsftpd[3107]: [test] FTP command: Client "xx.185.85.xx", "CWD /"
    Feb  3 18:11:54 Asus ftp.info vsftpd[3107]: [test] FTP response: Client "xx.185.85.xx", "250 Directory successfully changed."
    Feb  3 18:11:54 Asus ftp.info vsftpd[3107]: [test] FTP command: Client "xx.185.85.xx", "PASV"
    Feb  3 18:11:54 Asus ftp.info vsftpd[3107]: [test] FTP response: Client "xx.185.85.xx", "227 Entering Passive Mode (192,168,1,1,248,78)."
    ftp.png



    Port 21:
    Code:
    Feb  3 18:20:12 Asus ftp.info vsftpd[3429]: [test] OK LOGIN: Client "xx.185.85.xx"
    Feb  3 18:20:12 Asus ftp.info vsftpd[3431]: [test] FTP response: Client "xx.185.85.xx", "230 Login successful."
    Feb  3 18:20:13 Asus ftp.info vsftpd[3431]: [test] FTP command: Client "xx.185.85.xx", "SYST"
    Feb  3 18:20:13 Asus ftp.info vsftpd[3431]: [test] FTP response: Client "xx.185.85.xx", "215 UNIX Type: L8"
    Feb  3 18:20:13 Asus ftp.info vsftpd[3431]: [test] FTP command: Client "xx.185.85.xx", "PWD"
    Feb  3 18:20:13 Asus ftp.info vsftpd[3431]: [test] FTP response: Client "xx.185.85.xx", "257 "/" is the current directory"
    Feb  3 18:20:13 Asus ftp.info vsftpd[3431]: [test] FTP command: Client "xx.185.85.xx", "TYPE I"
    Feb  3 18:20:13 Asus ftp.info vsftpd[3431]: [test] FTP response: Client "xx.185.85.xx", "200 Switching to Binary mode."
    Feb  3 18:20:13 Asus ftp.info vsftpd[3431]: [test] FTP command: Client "xx.185.85.xx", "SIZE /"
    Feb  3 18:20:13 Asus ftp.info vsftpd[3431]: [test] FTP response: Client "xx.185.85.xx", "550 Could not get file size."
    Feb  3 18:20:13 Asus ftp.info vsftpd[3431]: [test] FTP command: Client "xx.185.85.xx", "CWD /"
    Feb  3 18:20:13 Asus ftp.info vsftpd[3431]: [test] FTP response: Client "xx.185.85.xx", "250 Directory successfully changed."
    Feb  3 18:20:13 Asus ftp.info vsftpd[3431]: [test] FTP command: Client "xx.185.85.xx", "PASV"
    Feb  3 18:20:13 Asus ftp.info vsftpd[3431]: [test] FTP response: Client "xx.185.85.xx", "227 Entering Passive Mode (192,168,1,1,32,35)."
    Feb  3 18:20:13 Asus ftp.info vsftpd[3431]: [test] FTP command: Client "xx.185.85.xx", "LIST -l"
    Feb  3 18:20:13 Asus ftp.info vsftpd[3431]: [test] FTP response: Client "xx.185.85.xx", "150 Here comes the directory listing."
    Feb  3 18:20:13 Asus ftp.info vsftpd[3431]: [test] FTP response: Client "xx.185.85.xx", "226 Directory send OK."
    Feb  3 18:20:13 Asus ftp.info vsftpd[3431]: [test] FTP command: Client "xx.185.85.xx", "QUIT"
    Feb  3 18:20:13 Asus ftp.info vsftpd[3431]: [test] FTP response: Client "xx.185.85.xx", "221 Goodbye."
    ftp2.png

    Can anyone try Shibby's or Toastman's Tomato with port 2121?
     
  27. PetervdM

    PetervdM Network Guru Member

    2017.3 connection from wan with andftp on android using port 21021:

    Code:
    Feb  3 11:55:27 nl5212bw23 ftp.info vsftpd[20026]: [abcdefg] OK LOGIN: Client "xxx.140.132.yyy"
    Feb  3 11:55:27 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", "230 Login successful."
    Feb  3 11:55:27 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP command: Client "xxx.140.132.yyy", "FEAT"
    Feb  3 11:55:27 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", "211-Features:"
    Feb  3 11:55:27 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", " EPRT^M "
    Feb  3 11:55:27 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", " EPSV^M "
    Feb  3 11:55:27 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", " MDTM^M "
    Feb  3 11:55:27 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", " PASV^M "
    Feb  3 11:55:27 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", " REST STREAM^M "
    Feb  3 11:55:27 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", " SIZE^M "
    Feb  3 11:55:27 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", " TVFS^M "
    Feb  3 11:55:27 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", " UTF8^M "
    Feb  3 11:55:27 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", "211 End"
    Feb  3 11:55:28 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP command: Client "xxx.140.132.yyy", "PWD"
    Feb  3 11:55:28 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", "257 "/" is the current directory"
    Feb  3 11:55:28 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP command: Client "xxx.140.132.yyy", "NOOP"
    Feb  3 11:55:28 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", "200 NOOP ok."
    Feb  3 11:55:28 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP command: Client "xxx.140.132.yyy", "CWD /"
    Feb  3 11:55:28 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", "250 Directory successfully changed."
    Feb  3 11:55:28 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP command: Client "xxx.140.132.yyy", "FEAT"
    Feb  3 11:55:28 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", "211-Features:"
    Feb  3 11:55:28 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", " EPRT^M "
    Feb  3 11:55:28 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", " EPSV^M "
    Feb  3 11:55:28 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", " MDTM^M "
    Feb  3 11:55:28 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", " PASV^M "
    Feb  3 11:55:28 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", " REST STREAM^M "
    Feb  3 11:55:28 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", " SIZE^M "
    Feb  3 11:55:28 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", " TVFS^M "
    Feb  3 11:55:28 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", " UTF8^M "
    Feb  3 11:55:28 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", "211 End"
    Feb  3 11:55:28 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP command: Client "xxx.140.132.yyy", "SYST"
    Feb  3 11:55:28 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", "215 UNIX Type: L8"
    Feb  3 11:55:28 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP command: Client "xxx.140.132.yyy", "PASV"
    Feb  3 11:55:28 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", "227 Entering Passive Mode (172,18,1,254,218,176)."
    Feb  3 11:55:28 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP command: Client "xxx.140.132.yyy", "LIST"
    Feb  3 11:55:28 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", "150 Here comes the directory listing."
    Feb  3 11:55:28 nl5212bw23 ftp.info vsftpd[20028]: [abcdefg] FTP response: Client "xxx.140.132.yyy", "226 Directory send OK."
     
  28. kille72

    kille72 LI Guru Member

    Very strange, port 21021 here:

    Code:
    Feb  3 18:45:54 Asus ftp.info vsftpd[6095]: [test] OK LOGIN: Client "xx.185.85.xx"
    Feb  3 18:45:54 Asus ftp.info vsftpd[6097]: [test] FTP response: Client "xx.185.85.xx", "230 Login successful."
    Feb  3 18:45:54 Asus ftp.info vsftpd[6097]: [test] FTP command: Client "xx.185.85.xx", "SYST"
    Feb  3 18:45:54 Asus ftp.info vsftpd[6097]: [test] FTP response: Client "xx.185.85.xx", "215 UNIX Type: L8"
    Feb  3 18:45:54 Asus ftp.info vsftpd[6097]: [test] FTP command: Client "xx.185.85.xx", "PWD"
    Feb  3 18:45:54 Asus ftp.info vsftpd[6097]: [test] FTP response: Client "xx.185.85.xx", "257 "/" is the current directory"
    Feb  3 18:45:54 Asus ftp.info vsftpd[6097]: [test] FTP command: Client "xx.185.85.xx", "TYPE I"
    Feb  3 18:45:54 Asus ftp.info vsftpd[6097]: [test] FTP response: Client "xx.185.85.xx", "200 Switching to Binary mode."
    Feb  3 18:45:54 Asus ftp.info vsftpd[6097]: [test] FTP command: Client "xx.185.85.xx", "SIZE /"
    Feb  3 18:45:54 Asus ftp.info vsftpd[6097]: [test] FTP response: Client "xx.185.85.xx", "550 Could not get file size."
    Feb  3 18:45:54 Asus ftp.info vsftpd[6097]: [test] FTP command: Client "xx.185.85.xx", "CWD /"
    Feb  3 18:45:54 Asus ftp.info vsftpd[6097]: [test] FTP response: Client "xx.185.85.xx", "250 Directory successfully changed."
    Feb  3 18:45:54 Asus ftp.info vsftpd[6097]: [test] FTP command: Client "xx.185.85.xx", "PASV"
    Feb  3 18:45:54 Asus ftp.info vsftpd[6097]: [test] FTP response: Client "xx.185.85.xx", "227 Entering Passive Mode (192,168,1,1,242,238)."
    Can you please paste all config and:
    cat /etc/vsftpd.conf
    iptables -t filter --list-rules
    iptables -t nat --list-rules
    netstat -an

    And which client do you use?
     
    Last edited: Feb 3, 2018
  29. eibgrad

    eibgrad Network Guru Member

    Instead of changing the actual port used by FTP (21), why not DNAT an external port (2121) over to the default FTP port (21)! IOW, stop messing w/ the FTP configuration. Just create a redirection for external users. This also has the advantage of not having to force internal users to know the new FTP port and manually configure each internal reference.
     
    Last edited: Feb 3, 2018
  30. Sean B.

    Sean B. LI Guru Member

    Directory listing while using port 2121 works fine with Toastman, I posted screen shots earlier in this thread before you came in @kille72
     
  31. Sean B.

    Sean B. LI Guru Member

    Explain how that works with a user entered variable port number in the GUI? Or are you saying it makes more sense to re-code the GUI with a firewall bandaid rather than fix the actual problem?
     
  32. eibgrad

    eibgrad Network Guru Member

    I don't understand the question.

    What I'm saying is, changing the actual FTP port is like setting up a webserver interally, on the LAN, on port 8080, just because you intend to access it using port 8080 externally. That's not required. You can leave the internal webserver on port 80, and just change the external port to 8080. The port forward's DNAT makes the conversion. You can do the same thing on any router provided service. That's what happens when the GUI is exposed over the WAN. We don't change the webserver on the router to 8080, it's still 80.

    Just seems to me everyone has gotten hung up on changing the internal port, just for the sake of external users.
     
  33. Sean B.

    Sean B. LI Guru Member

    The GUI is coded to set the variables in vsftpd.conf, and allowing both WAN and LAN access is a single option. To do as you suggest would require splitting the port option and WAN+LAN options apart in the code a long with adding the required iptables additions. In reality it would also require duplicating several of the GUI's configuration options, if the option to change the port used on the LAN side is to be retained as well.
     
  34. eibgrad

    eibgrad Network Guru Member

    Same thing is true about SSH. Notice on the Administration page, you can configure a *remote* port. But we don't change the ssh internal port (22) just because we want remote access to ssh over the WAN.
     
  35. Sean B.

    Sean B. LI Guru Member

    I didn't say it won't work that way. I'm saying in terms of volume of changes/coding required, simply fixing whatever the issue currently is has a good chance of being a much less invasive solution.
     
  36. Sean B.

    Sean B. LI Guru Member

    Especially sense it works as designed on Toastman. I would guess there's a iptables/conntrack or related change in killes builds that are getting in the way of the data connection when the control connection is no longer on 21.
     
  37. eibgrad

    eibgrad Network Guru Member

    It all depends on your perspective. As I said, changing the internal port *just* for the sake of external users doesn't make a whole lot of sense, at least to me. That's why the Admin page offers a remote port option for ssh. And so does remote access to the GUI. Why make all your internal users reference the external port just for the sake of external users?

    But you're right. If the FTP page foolishly doesn't offer this option, and you want to remain handcuffed by the GUI, that's your choice. I'm only offering this as an option, to get around the current problem. That's what we do around here. We offer options.
     
    kille72 likes this.
  38. Sean B.

    Sean B. LI Guru Member

    I look forward to seeing your submission for all that code change.
     
    kille72 likes this.
  39. eibgrad

    eibgrad Network Guru Member

    I don't know Sean B., sometimes, just sometimes ...

    What in the world does that comment have to do w/ the issue at hand? Either my point is well taken, or it isn't. Whether I personally provide the source code, or someone else finds it too challenging to make such changes, is completely irrelevant. If there's a better way, it should be considered/debated on its own merits and not on my personal contributions to the code base.

    The FTP page in this regard is stupid, antiquated. It makes no sense given how all other services are managed when it comes to access by internal vs. external users. Either that's a valid point or it isn't. And if it is, eventually it should be corrected, because in my book, that qualifies as a bug too! And as you suggest, shouldn't we fix the bugs when we find them?

    Frankly, it isn't even all that hard. Just follow the logic used by ssh when it comes to its own remote port option. I'm sure even a junior programmer could knock it out in a few hours, and w/ a lunch break in between. As a public service, I'll even provide a quick outline.

    1. Remove LAN Only vs. WAN+LAN option from GUI.
    2. Add remote port option to GUI.
    3. Create nvram variable to store remote port option.
    4. If remote port option specified in GUI, save in nvram.
    5. If FTP started, and remote port variable is not empty, add appropriate INPUT and DNAT rules to firewall.
    6. If FTP stopped, and remote port variable is not empty, delete INPUT and DNAT rules from firewall.
    7. Get cup of coffee, sit back, and be proud of the vast improvement you've just made to the GUI (P.S., remember to send thank you note to eibgrad!)

    No, no, no, put that digital wallet back where it came from, consider this a freebie, on the house.
     
    kille72 likes this.
  40. PetervdM

    PetervdM Network Guru Member

    client is andftp on android

    vsftpd.conf:


    Code:
    anonymous_enable=no
    dirmessage_enable=yes
    download_enable=no
    dirlist_enable=no
    hide_ids=yes
    syslog_enable=yes
    local_enable=yes
    local_umask=022
    chmod_enable=no
    chroot_local_user=yes
    check_shell=no
    log_ftp_protocol=yes
    user_config_dir=/etc/vsftpd.users
    passwd_file=/etc/vsftpd.passwd
    listen=yes
    listen_ipv6=no
    listen_port=21021
    background=yes
    isolate=no
    max_clients=0
    max_per_ip=0
    max_login_fails=1
    idle_session_timeout=300
    use_sendfile=no
    anon_max_rate=0
    local_max_rate=0
    # connect_from_port_20=yes

    iptables -t filter --list-rules:

    Code:
    -P INPUT DROP
    -P FORWARD DROP
    -P OUTPUT ACCEPT
    -N IANA_RESERVED
    -N ftplimit
    -N logdrop
    -N logreject
    -N monitor
    -N shlimit
    -N wanin
    -N wanout
    -A INPUT -i vlan2 -p udp -m udp --sport 9956 --dport 9956 -j DROP
    -A INPUT -i vlan2 -p tcp -m tcp --dport 7547 -j DROP
    -A INPUT -i vlan2 -p udp -m udp --dport 53413 -j DROP
    -A INPUT -i vlan2 -p tcp -m tcp --dport 2323 -j DROP
    -A INPUT -i vlan2 -p tcp -m tcp --dport 23 -j DROP
    -A INPUT -i vlan2 -p udp -m udp --sport 67:68 --dport 67:68 -j DROP
    -A INPUT -s 192.168.254.254/32 -d 224.0.0.0/24 -i vlan2 -j DROP
    -A INPUT -i tap21 -j ACCEPT
    -A INPUT -p udp -m udp --dport 11194 -j ACCEPT
    -A INPUT -d 192.168.254.1/32 -i br0 -j DROP
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22022 -m state --state NEW -j shlimit
    -A INPUT -p tcp -m tcp --dport 23023 -m state --state NEW -j shlimit
    -A INPUT -p tcp -m tcp --dport 21021 -m state --state NEW -j ftplimit
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i br0 -j ACCEPT
    -A INPUT -p icmp -m limit --limit 1/sec -j ACCEPT
    -A INPUT -p udp -m udp --dport 33434:33534 -m limit --limit 1/sec -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22022 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 21021 -j ACCEPT
    -A INPUT -d 224.0.0.0/4 -p igmp -j ACCEPT
    -A INPUT -d 224.0.0.0/4 -p udp -m udp ! --dport 1900 -j ACCEPT
    -A INPUT -j logdrop
    -A FORWARD -s 172.18.1.251/32 -j DROP
    -A FORWARD -i tap21 -j ACCEPT
    -A FORWARD -m account--aaddr 172.18.1.0/255.255.255.0 --aname lan
    -A FORWARD -i br0 -o br0 -j ACCEPT
    -A FORWARD -m state --state INVALID -j DROP
    -A FORWARD -o vlan2 -j monitor
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i vlan2 -j wanin
    -A FORWARD -o vlan2 -j wanout
    -A FORWARD -i br0 -j ACCEPT
    -A IANA_RESERVED -d 192.168.254.0/24 -j RETURN
    -A IANA_RESERVED -d 10.240.192.1/32 -j RETURN
    -A IANA_RESERVED -d 0.0.0.0/8 -o vlan2 -j logdrop
    -A IANA_RESERVED -d 10.0.0.0/8 -o vlan2 -j logdrop
    -A IANA_RESERVED -d 100.64.0.0/10 -o vlan2 -j logdrop
    -A IANA_RESERVED -d 127.0.0.0/8 -o vlan2 -j logdrop
    -A IANA_RESERVED -d 169.254.0.0/16 -o vlan2 -j logdrop
    -A IANA_RESERVED -d 172.16.0.0/12 -o vlan2 -j logdrop
    -A IANA_RESERVED -d 192.0.0.0/24 -o vlan2 -j logdrop
    -A IANA_RESERVED -d 192.0.2.0/24 -o vlan2 -j logdrop
    -A IANA_RESERVED -d 192.88.99.0/24 -o vlan2 -j logdrop
    -A IANA_RESERVED -d 192.168.0.0/16 -o vlan2 -j logdrop
    -A IANA_RESERVED -d 198.18.0.0/15 -o vlan2 -j logdrop
    -A IANA_RESERVED -d 198.51.100.0/24 -o vlan2 -j logdrop
    -A IANA_RESERVED -d 203.0.113.0/24 -o vlan2 -j logdrop
    -A IANA_RESERVED -d 224.0.0.0/4 -o vlan2 -j logdrop
    -A IANA_RESERVED -d 240.0.0.0/4 -o vlan2 -j logdrop
    -A IANA_RESERVED -j RETURN
    -A ftplimit -m recent --set --name ftp --rsource
    -A ftplimit -m recent --update --seconds 60 --hitcount 4 --name ftp --rsource -j logdrop
    -A logdrop -m state --state NEW -m limit --limit 1/sec -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options --log-macdecode
    -A logdrop -j DROP
    -A logreject -m limit --limit 1/sec -j LOG --log-prefix "REJECT " --log-tcp-sequence --log-tcp-options --log-ip-options --log-macdecode
    -A logreject -p tcp -j REJECT --reject-with tcp-reset
    -A monitor -p tcp -m webmon--max_domains 200 --max_searches 20  -j RETURN
    -A shlimit -m recent --set --name shlimit --rsource
    -A shlimit -m recent --update --seconds 600 --hitcount 4 --name shlimit --rsource -j logdrop
    -A wanin -d 224.0.0.0/4 -p udp -j ACCEPT
    -A wanin -d 172.18.1.251/32 -p tcp -m tcp --dport 10080 -j ACCEPT
    -A wanin -d 172.18.1.251/32 -p tcp -m tcp --dport 15554 -j ACCEPT
    -A wanin -d 172.18.1.251/32 -p udp -m udp --dport 15554 -j ACCEPT
    -A wanin -d 172.18.1.251/32 -p tcp -m tcp --dport 8181 -j ACCEPT
    -A wanout -j IANA_RESERVED

    iptables -t nat --list-rules:

    Code:
    -P PREROUTING ACCEPT
    -P INPUT ACCEPT
    -P OUTPUT ACCEPT
    -P POSTROUTING ACCEPT
    -N WANPREROUTING
    -A PREROUTING -p udp -m udp --dport 11194 -j ACCEPT
    -A PREROUTING -d 192.168.254.1/32 -j WANPREROUTING
    -A PREROUTING -s 172.18.1.0/24 ! -d 172.18.1.0/24 -p tcp -m tcp --dport 53 -j DNAT --to-destination 172.18.1.254
    -A PREROUTING -s 172.18.1.0/24 ! -d 172.18.1.0/24 -p udp -m udp --dport 53 -j DNAT --to-destination 172.18.1.254
    -A POSTROUTING -o vlan2 -j MASQUERADE
    -A WANPREROUTING -p icmp -j DNAT --to-destination 172.18.1.254
    -A WANPREROUTING -p tcp -m tcp --dport 10080 -j DNAT --to-destination 172.18.1.251
    -A WANPREROUTING -p tcp -m tcp --dport 15554 -j DNAT --to-destination 172.18.1.251
    -A WANPREROUTING -p udp -m udp --dport 15554 -j DNAT --to-destination 172.18.1.251
    -A WANPREROUTING -p tcp -m tcp --dport 8181 -j DNAT --to-destination 172.18.1.251
    -A WANPREROUTING -p tcp -m tcp --dport 21021 -j DNAT --to-destination 172.18.1.254[

    netstat -an :

    Code:
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State      
    tcp        0      0 0.0.0.0:22022           0.0.0.0:*               LISTEN    
    tcp        0      0 127.0.0.1:40            0.0.0.0:*               LISTEN    
    tcp        0      0 172.18.1.254:80         0.0.0.0:*               LISTEN    
    tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN    
    tcp        0      0 0.0.0.0:4022            0.0.0.0:*               LISTEN    
    tcp        0      0 192.168.254.1:443       0.0.0.0:*               LISTEN    
    tcp        0      0 172.18.1.254:443        0.0.0.0:*               LISTEN    
    tcp        0      0 0.0.0.0:21021           0.0.0.0:*               LISTEN    
    tcp        0      0 172.18.1.254:22022      172.18.1.200:57862      ESTABLISHED
    tcp        0      0 172.18.1.254:80         172.18.1.200:51190      TIME_WAIT  
    tcp        0      0 172.18.1.254:80         172.18.1.200:51173      TIME_WAIT  
    tcp        0      0 172.18.1.254:80         172.18.1.200:51199      ESTABLISHED
    tcp        0      0 :::22022                :::*                    LISTEN    
    tcp        0      0 :::53                   :::*                    LISTEN    
    udp        0      0 0.0.0.0:42000           0.0.0.0:*                          
    udp        0      0 127.0.0.1:40            0.0.0.0:*                          
    udp        0      0 0.0.0.0:53              0.0.0.0:*                          
    udp        0      0 0.0.0.0:67              0.0.0.0:*                          
    udp        0      0 0.0.0.0:38000           0.0.0.0:*                          
    udp        0      0 127.0.0.1:38032         0.0.0.0:*                          
    udp        0      0 0.0.0.0:30100           0.0.0.0:*                          
    udp        0      0 0.0.0.0:161             0.0.0.0:*                          
    udp        0      0 0.0.0.0:11194           0.0.0.0:*                          
    udp        0      0 0.0.0.0:45000           0.0.0.0:*                          
    udp        0      0 0.0.0.0:43000           0.0.0.0:*                          
    udp        0      0 :::53                   :::*                              
    raw   122848      0 0.0.0.0:2               0.0.0.0:*               2          
    raw        0      0 0.0.0.0:2               0.0.0.0:*               2          
    raw        0      0 0.0.0.0:255             0.0.0.0:*               255        
    Active UNIX domain sockets (servers and established)
    Proto RefCnt Flags       Type       State         I-Node Path
    unix  10     [ ]         DGRAM                       380 /dev/log
    unix  2      [ ]         DGRAM                    239924
    unix  2      [ ]         DGRAM                      2034
    unix  3      [ ]         STREAM     CONNECTED       1687
    unix  3      [ ]         STREAM     CONNECTED       1686
    unix  2      [ ]         DGRAM                      1685
    unix  2      [ ]         DGRAM                      1667
    unix  2      [ ]         DGRAM                      1326
    unix  2      [ ]         DGRAM                      1316
    unix  2      [ ]         DGRAM                      1154
    unix  2      [ ]         DGRAM                      1060 
    i hope this can be helpfull
     

    Attached Files:

  41. eibgrad

    eibgrad Network Guru Member

    For anyone interested, the following firewall script will make the FTP server accessible externally via port 2121, without disturbing the internal port (by default, 21). Just make sure to set "Enable FTP Server" to "Yes, WAN and LAN".

    Code:
    LAN_IP="$(nvram get lan_ipaddr)"
    FTP_LPORT="$(nvram get ftp_port)"
    FTP_RPORT=2121 # change to preferred external/remote port
    NUL_PORT=65535 # can be any *unused* internal port on router
    
    iptables -t nat -I WANPREROUTING -p tcp --dport $FTP_LPORT -j DNAT --to $LAN_IP:$NUL_PORT
    iptables -t nat -I WANPREROUTING -p tcp --dport $FTP_RPORT -j DNAT --to $LAN_IP:$FTP_LPORT
    For the long term, it would actually make more sense for the developers to simply bind the FTP server to multiple ports (internal and external), then restrict each port to its appropriate INPUT network interface.
     
    Last edited: Feb 4, 2018
    kille72 likes this.
  42. Sean B.

    Sean B. LI Guru Member

    @kille72 , @PetervdM , hav
    Clearly you have never, at all, been into Tomato's code. As I stated before, I look forward to seeing your submission for the code changes. Put your digital wallet money where your mouth is.
     
    kille72 likes this.
  43. Sean B.

    Sean B. LI Guru Member

    Spoken, to the T, as someone that doesn't have any idea the rats nest they're getting into with the overlapping cross-connected code of Tomato. As Koitsu put it, it's a mess. And the arrogance to imply developers are being lazy ( could just "simply" make the needed changes ) by not creating 5 other problems trying to fix one the way you suggest is sadly, not surprising.
     
    Last edited: Feb 4, 2018
  44. Sean B.

    Sean B. LI Guru Member

    @kille72 , when you have a chance, could check something for me:

    On a windows client press windowkey+R and type:
    Code:
    control firewall.cpl
    In the window that comes up, on the left hand side click on " Allow an app or feature through windows firewall "

    Click "Change settings"

    Scroll down to "File Transfer Program "

    Is the box directly to the left of "File Transfer Program" checked? If not, check it.

    To the far right side, but on the same line for "File Transfer Program" put a check in both the boxes on that line.

    Click ok in the bottom right.

    ----------

    If you made any changes with the check boxes, run a test of the FTP functioinality:

    Enable FTP on the router for LAN, set the port to 2121

    Set "Directory Listing" to enabled

    At the bottom, add a user with the name "test", password "1111", access "read/write", root directory "/opt" ( providing you have an opt partition mounted, if not then use /tmp or whatever you like ).

    -------

    On the windows client:

    Open powershell, assuming your router IP is 192.168.1.1 ( change if needed ) run these commands in order, the username/password entry will be prompted:

    Code:
    ftp
    open
    192.168.1.1 2121
    test
    1111
    ls
    
     
  45. Sean B.

    Sean B. LI Guru Member

    And btw, I suggest you actually try this out and see how it works for you. Because I'd bet my entire digital wallet it will not work. FTP clients, on majority, set PASV ( passive ) mode when connected, example:

    Note, Passive mode.

    For passive mode.. the CLIENT side starts both connections.
    First, client creates the control connection ( to your FTP_PORT variable value )
    Second, client sends PASV command
    Third, server opens a port and informs the client of the port number with the syntax "
    ---> PORT 192,168,150,80,14,178"

    To find the actual port multiply the fifth octet by 256 and then add the sixth octet to the total. Thus the port number is ( (14*256) + 178), or 3762.

    Forth, client creates data connection to server at 192.168.150.80 port 3762 , this is the connection the directory listing and file transfers are sent over.

    I'd love to see your jump to conclusions fix of using DNAT rules handle that one.

    Hense why us lazy developers aren't using the same concept as http or ssh, which receive one connection from a client on the allowed port, and then a return OUTGOING connection from the server.

    No no, it's ok.. keep your digital wallet, this lesson's on me.
     
  46. eibgrad

    eibgrad Network Guru Member

    How the hell did this conversation get to this point? I wasn't even speaking to you! My first post in this thread was #29, and I was only offering a workaround to the OP's situation, seeing as how much trouble he was having. As I said before, that's what we do around here. Even if the problem had been identified and found to be a bug, it wasn't going to be fixed anytime soon. So I offered the workaround. That's it. Period.

    Next thing I know, you butt in and give me the third degree about the GUI, splitting this and that, suggesting I'm not interested in fixing the real problem, yada yada. Something I never even hinted at in post #29. But trying to be polite, I answered your questions. Next thing I know, I'm supposedly demanding enhancements to the GUI, I don't understand how difficult this is for the developers, and on and on. I never suggested the GUI should be changed until YOU made it an issue. If you had simply minded your own business, we wouldn't even be having this conversation. If you want to have a good discussion about such things, that's fine, I'm all ears. But don't set me up by dragging me down this road concerning GUI changes, then bash me over the head as if I had initiated it. YOU chimed in. YOU started the discussion about GUI changes. Then exited suggesting I was making all these demands for changes in the GUI.

    Good grief. It's like you're looking to pick a fight, Sean B. Knock it off. I'm embarrassed we're even having this discussion in the OP's thread. I'm sure he'd rather not deal with it. If you have minded your own business, everything would have been fine. The OP could have ignored my suggestions and moved on (like YOU should have done).

    That's my final word on it because I don't want the OP bothered anymore.
     
  47. Sean B.

    Sean B. LI Guru Member

    A simple " I was wrong " would have saved a lot of typing.
     
  48. eibgrad

    eibgrad Network Guru Member

    Peace and love, Sean B.
     
  49. Solace50

    Solace50 Connected Client Member

    I'm not bothered, suggestions and solutions are presented for a minor issue, I would re-flash the affected build but at the moment I cant to give an iptables dump as requested. If no one else aids, I will do so later in the week.
     
  50. Sean B.

    Sean B. LI Guru Member

    To clarify, which build are you back onto now? And am I correct that the build you're running now works as expected using ports other than 21?
     
  51. kille72

    kille72 LI Guru Member

    Code:
    PS C:\WINDOWS\system32> ftp
    ftp> open
    To 192.168.1.1 2121
    Connected to 192.168.1.1.
    220 (vsFTPd 3.0.3)
    User (192.168.1.1:(none)): test
    331 Please specify the password.
    Password:
    230 Login successful.
    ftp> ls
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    bin
    downloads
    etc
    lib
    lost+found
    sbin
    share
    tmp
    usr
    var
    226 Directory send OK.
    ftp: 69 bytes received in 0.00Seconds 69000.00Kbytes/sec.
    Code:
    Feb  4 08:57:58 Asus ftp.info vsftpd[14020]: [test] OK LOGIN: Client "192.168.1.101"
    Feb  4 08:57:58 Asus ftp.info vsftpd[14025]: [test] FTP response: Client "192.168.1.101", "230 Login successful."
    Feb  4 08:58:01 Asus ftp.info vsftpd[14025]: [test] FTP command: Client "192.168.1.101", "PORT 192,168,1,101,200,6"
    Feb  4 08:58:01 Asus ftp.info vsftpd[14025]: [test] FTP response: Client "192.168.1.101", "200 PORT command successful. Consider using PASV."
    Feb  4 08:58:01 Asus ftp.info vsftpd[14025]: [test] FTP command: Client "192.168.1.101", "NLST"
    Feb  4 08:58:10 Asus ftp.info vsftpd[14025]: [test] FTP response: Client "192.168.1.101", "150 Here comes the directory listing."
    Feb  4 08:58:10 Asus ftp.info vsftpd[14025]: [test] FTP response: Client "192.168.1.101", "226 Directory send OK."
     
  52. kille72

    kille72 LI Guru Member

    I'm sorry, but it does not work here.
     
  53. eibgrad

    eibgrad Network Guru Member

    Sorry, had a syntax error. I had copied part of the code from another script that called iptables from a function called ipt. So I had to rename it back to iptables. I updated the original post.
     
    kille72 likes this.
  54. kille72

    kille72 LI Guru Member

    It works with port 2121 from outside now! Many errors in the log...

    https://pastebin.com/x1bcVeZ3
     
  55. eibgrad

    eibgrad Network Guru Member

    Those "errors" all appear to be change directory attempts on .so (shared object) files (the equivalent of a dll in Windows), which obviously makes no sense. Those aren't directories.

    FWIW, I tested it myself and had no issues.

    https://pastebin.com/80LmWRmM
     
  56. kille72

    kille72 LI Guru Member

    What Tomato version do you use?
     
  57. eibgrad

    eibgrad Network Guru Member

    Tomato Firmware 1.28.0000 -138 K26ARM USB AIO-64K
    Linux kernel 2.6.36.4brcmarm and Broadcom Wireless Driver 6.37.14.86 (r456083)
     
  58. kille72

    kille72 LI Guru Member

    Ok. But without the firewall script, does the FTP server work with a different port than 21 from outside (Tomato v138)?
     
  59. eibgrad

    eibgrad Network Guru Member

    It only works externally when the port is 21. Any other port, and it doesn't. Internally any port works.

    I dumped iptables, and I can see the DNAT and INPUT rules, which seem fine. I can see the packet hits in the INPUT chain for the 2121. But if I check the log, it only gets as far as "Entering Passive Mode" and seems to die.
     
    kille72 likes this.
  60. eibgrad

    eibgrad Network Guru Member

    It has to have something to do w/ passive mode and the fact the port is not 21. Somewhere in the logic it's only expecting 21. Anything else and it breaks. That's why my script works. It remains on port 21 internally, keeping things in order.

    Doesn't really surprise me. FTP is such a complex protocol, w/ passive and active options.
     
    kille72 likes this.
  61. kille72

    kille72 LI Guru Member

    Thanks for the tests. I still do not understand how some others get FTP to work with a port other than 21 from outside...:confused:
     
  62. Sean B.

    Sean B. LI Guru Member

    So, it works fine after enabling file transfer program in windows firewall?
     
  63. kille72

    kille72 LI Guru Member

    Yes!
     
  64. Sean B.

    Sean B. LI Guru Member

    Bingo. It was never a problem with Tomato. Windows firewall was blocking the data connection in passive mode.
     
  65. kille72

    kille72 LI Guru Member

    But we talk on the inside, on the outside only port 21 works.
     
  66. Sean B.

    Sean B. LI Guru Member

    Have you tried it again using WAN IP?
     
  67. Sean B.

    Sean B. LI Guru Member

    And do you have NAT Loopback enabled? Also, do you have FTP checked in the GUI under Advanced->Conntrack/netfilter in the Tracking/NAT helpers section?
     
  68. kille72

    kille72 LI Guru Member

    Yes, no luck. With @eibgrad script it works.
     
  69. kille72

    kille72 LI Guru Member

    Yes:
    nat.PNG

    nat2.PNG

    But, as said before, it does not work on version 138 by Shibby either!
     
  70. Sean B.

    Sean B. LI Guru Member

    Yes, his script should function as the connection is to the router. A loophole. You can run it that way if a bandaid is satisfactory. On Toastman, it functions as it is supposed to.
     
  71. Sean B.

    Sean B. LI Guru Member

    I am unable to help further, as I do not run shibby builds I don't have the issue to diagnose on my end. Best of luck.
     
    kille72 likes this.
  72. kille72

    kille72 LI Guru Member

    We will see if we find a good solution. I have asked people to test Shibby's version 132 without MutliWAN.
     
    Last edited: Feb 4, 2018
  73. Sean B.

    Sean B. LI Guru Member

    Nice job! Not to hijack the thread, but when we were working on updating Samba to 3.6.26 do you recall us hitting any issues where Windows machines were still showing the 1.5 SMB dialect when connected?
     
  74. kille72

    kille72 LI Guru Member

    I do not remember this problem...did you notice this yourself?
     
  75. eibgrad

    eibgrad Network Guru Member

    I accept VISA, MC, Discover, and Paypal (please, no personal checks).

    Btw, I memorialized the script bandaid on PasteBin ( https://pastebin.com/cn7Bky6P ).
     
    Monk E. Boy and kille72 like this.
  76. Sean B.

    Sean B. LI Guru Member

    Sorry, I'm not used to half assing things. I like them to work as intended. You've basically "memorialized" a piece of duct tape. Such as if you sold a car, and that customer came back saying " My door won't stay shut " .. your solution is " Oh here, look how good I am, I fixed it " by slapping a few strips of duct tape on it. Then saying " I should charge you for that awesome specimen of engineering ". But I guess each person has their own level of achievement they aspire to be proud of, or standards ( lack of? ) they hold themselves to. You're the first person I find I'll use the ignore feature of this forum for, as your arrogance and cocky attitude make me sad we aren't in person to hash this out. Good day.
     
    Last edited: Feb 4, 2018
    pedro311 and kille72 like this.
  77. Sean B.

    Sean B. LI Guru Member

    Yeah, I was doing some testing the other day using the binary compiled when we were coding it in and noticed my clients were still showing a 1.5 dialect. May be something I missed though when reconfiguring. Was curious if you had seen anything.
     
  78. Sean B.

    Sean B. LI Guru Member

    @kille72 , if you plan on using nat to fix this problem, but don't want a bunch of unnecessary junk taking up the script boxes, simply add a line in the port forward page. For instance to use port 2121 configure a port forward line to:

    Protocol: TCP
    Src Address: empty
    Ext Ports: 2121
    Int Port: 21
    Int Address: 192.168.1.1

    Achieves the same thing without wasting nvram/script box space on crap.

    **EDIT** While I'm sure you can figure this out Kille, others may look right over the obvious so I'll mention this would be used with FTP set to LAN only and port 21. Port can be changed to whatever you like just match it in the forward.
     
    Last edited: Feb 5, 2018
  79. eibgrad

    eibgrad Network Guru Member

    At every twist and turn, you just can't resist crapping on my efforts. It's been that way from the first moment you approached me.

    Once again you get it wrong. When you configure the FTP server as "WAN + LAN", it will create a port forward on port 21. But that's the very port you're trying to obscure. You need an additional port forward to block it. And it has to be placed before the FTP server's port forward, which is something you can't guarantee through the GUI.

    And frankly, all port forwards are stored in nvram anyway. What are we talking about here, a few dozens bytes? And if it's that big a deal, fine, do the variable replacements by hand. It's only done that way for clarity sake. You could even store it and execute it from /jffs if you have it.

    The script was well thought through, despite all the duct-tape it took to hold it together.

    **EDIT** And if you change to "LAN only", kille, you'll lose access to the best features on the WAN side, like certain LIMITS (source IPs, rate-limiting, etc.). You see kille, I didn't just wing-it, this was well thought out, much more than some ppl have given me credit.
     
    Last edited: Feb 5, 2018
    kille72 likes this.
  80. Solace50

    Solace50 Connected Client Member

    Tomato Firmware 1.28.0000 -2017.2-kille72- K26ARM USB AIO-64K

    I also disabled windows firewall in my testing on the previous build to ensure nothing was being filtered. When testing externally the port still showed close when using other than 21.
     
  81. Sean B.

    Sean B. LI Guru Member

    Riiiiighhhttt, no source IP's. *shakes head*
     
  82. Sean B.

    Sean B. LI Guru Member

    With FTP set to WAN and LAN, and set to a port other than 21, could you run the command " lsmod " on the router and post output please.
     
  83. Sean B.

    Sean B. LI Guru Member

    On Toastman firmware, when FTP is enabled to LAN and WAN, netfilter modules for FTP are loaded into the kernel. Here's a section from one of them:

    Code:
     /*
     405          * Detecting whether it is passive
     406          */
     407         iph = ip_hdr(skb);
     408         th = (struct tcphdr *)&(((char *)iph)[iph->ihl*4]);
     409
     410         /* Since there may be OPTIONS in the TCP packet and the HLEN is
     411            the length of the header in 32-bit multiples, it is accurate
     412            to calculate data address by th+HLEN*4 */
     413         data = data_start = (char *)th + (th->doff << 2);
     414         data_limit = skb_tail_pointer(skb);
     415
     416         while (data <= data_limit - 6) {
     417                 if (strnicmp(data, "PASV\r\n", 6) == 0) {
     418                         /* Passive mode on */
     419                         IP_VS_DBG(7, "got PASV at %td of %td\n",
     420                                   data - data_start,
     421                                   data_limit - data_start);
     422                         cp->app_data = &ip_vs_ftp_pasv;
     423                         return 1;
     424                 }
     425                 data++;
     426         }
     427
     428         /*
     429          * To support virtual FTP server, the scenerio is as follows:
     430          *       FTP client ----> Load Balancer ----> FTP server
     431          * First detect the port number in the application data,
     432          * then create a new connection entry for the coming data
     433          * connection.
     434          */
     435         if (ip_vs_ftp_get_addrport(data_start, data_limit,
     436                                    CLIENT_STRING, sizeof(CLIENT_STRING)-1,
     437                                    '\r', &to.ip, &port,
     438                                    &start, &end) != 1)
     439                 return 1;
     440
     441         IP_VS_DBG(7, "PORT %pI4:%d detected\n", &to.ip, ntohs(port));
     442
     443         /* Passive mode off */
     444         cp->app_data = NULL;
     445
     446         /*
     447          * Now update or create a connection entry for it
     448          */
     449         IP_VS_DBG(7, "protocol %s %pI4:%d %pI4:%d\n",
     450                   ip_vs_proto_name(iph->protocol),
     451                   &to.ip, ntohs(port), &cp->vaddr.ip, 0);
     452
     453         n_cp = ip_vs_conn_in_get(AF_INET, iph->protocol,
     454                                  &to, port,
     455                                  &cp->vaddr, htons(ntohs(cp->vport)-1));
     456         if (!n_cp) {
     457                 n_cp = ip_vs_conn_new(AF_INET, IPPROTO_TCP,
     458                                       &to, port,
     459                                       &cp->vaddr, htons(ntohs(cp->vport)-1),
     460                                       &cp->daddr, htons(ntohs(cp->dport)-1),
     461                                       0,
     462                                       cp->dest);
     463                 if (!n_cp)
     464                         return 0;
     465
     466                 /* add its controller */
     467                 ip_vs_control_add(n_cp, cp);
     468         }
    And there, is what's supposed to be handling the data connection port.

    I'd say either the modules aren't being loaded, or some source update a long the way has caused an issue in netfilter/conntrack. It can be diagnosed/fixed, or just drop a rug over it.
     
  84. Solace50

    Solace50 Connected Client Member

    root@Solace:/tmp/home/root# lsmod
    Module Size Used by Tainted: P
    tun 12274 4
    xt_DSCP 1474 1
    ip6table_mangle 934 0
    ip6table_filter 750 0
    ipt_account 8376 1
    ipt_webmon 14116 1
    xt_recent 6394 2
    ebtable_filter 1061 0
    ebtables 15631 1 ebtable_filter
    nls_cp437 4474 0
    ehci_hcd 31597 0
    xhci_hcd 51120 0
    ext4 221882 2
    crc16 1007 1 ext4
    jbd2 48989 1 ext4
    mbcache 4599 1 ext4
    usb_storage 34290 3
    sd_mod 21983 5
    scsi_wait_scan 416 0
    scsi_mod 108730 2 usb_storage,sd_mod
    usbcore 101702 4 ehci_hcd,xhci_hcd,usb_storage
    nf_nat_pptp 1602 0
    nf_conntrack_pptp 3355 1 nf_nat_pptp
    nf_nat_proto_gre 887 1 nf_nat_pptp
    nf_conntrack_proto_gre 3228 1 nf_conntrack_pptp
    nf_nat_ftp 1144 0
    nf_conntrack_ftp 4909 1 nf_nat_ftp
    nf_nat_sip 5031 0
    nf_conntrack_sip 15713 1 nf_nat_sip
    nf_nat_h323 4761 0
    nf_conntrack_h323 33807 1 nf_nat_h323
    wl 3925788 0
    et 61325 0
    igs 11887 1 wl
    emf 14973 2 wl,igs

    also note this is the unaffected build running that I previously mentioned not the .3 build
     
  85. Sean B.

    Sean B. LI Guru Member

    There's the modules on the unaffected build

    nf_nat_ftp 1144 0
    nf_conntrack_ftp 4909 1 nf_nat_ftp

    curious to know if they're loading on the affected build. @kille72 , any chance you could post an lsmod with FTP enabled on WAN an LAN?
     
  86. Solace50

    Solace50 Connected Client Member

    sorry, that was with port 21 set, here is with it set to 1365

    root@Solace:/tmp/home/root# lsmod
    Module Size Used by Tainted: P
    tun 12274 4
    xt_DSCP 1474 1
    ip6table_mangle 934 0
    ip6table_filter 750 0
    ipt_account 8376 1
    ipt_webmon 14116 1
    xt_recent 6394 2
    ebtable_filter 1061 0
    ebtables 15631 1 ebtable_filter
    nls_cp437 4474 0
    ehci_hcd 31597 0
    xhci_hcd 51120 0
    ext4 221882 2
    crc16 1007 1 ext4
    jbd2 48989 1 ext4
    mbcache 4599 1 ext4
    usb_storage 34290 3
    sd_mod 21983 5
    scsi_wait_scan 416 0
    scsi_mod 108730 2 usb_storage,sd_mod
    usbcore 101702 4 ehci_hcd,xhci_hcd,usb_storage
    nf_nat_pptp 1602 0
    nf_conntrack_pptp 3355 1 nf_nat_pptp
    nf_nat_proto_gre 887 1 nf_nat_pptp
    nf_conntrack_proto_gre 3228 1 nf_conntrack_pptp
    nf_nat_ftp 1144 0
    nf_conntrack_ftp 4909 1 nf_nat_ftp
    nf_nat_sip 5031 0
    nf_conntrack_sip 15713 1 nf_nat_sip
    nf_nat_h323 4761 0
    nf_conntrack_h323 33807 1 nf_nat_h323
    wl 3925788 0
    et 61325 0
    igs 11887 1 wl
    emf 14973 2 wl,igs

    well nvm the output is the same too
     
  87. kille72

    kille72 LI Guru Member

    Version 2018.1.018, port 2121, WAN/LAN:

    Code:
    # lsmod
    Module                  Size  Used by    Tainted: P
    tun                    12274  2
    ip6table_mangle          934  0
    ip6table_filter          750  0
    ipt_account             8376  1
    xt_recent               6394  2
    xt_DSCP                 1474  1
    ebtable_filter          1061  0
    ebtables               15631  1 ebtable_filter
    nls_cp850               3706  0
    ehci_hcd               31597  0
    xhci_hcd               51120  0
    ext4                  221882  2
    crc16                   1007  1 ext4
    jbd2                   48989  1 ext4
    mbcache                 4599  1 ext4
    usb_storage            34290  2
    sd_mod                 21983  3
    scsi_wait_scan           416  0
    scsi_mod              108730  2 usb_storage,sd_mod
    usbcore               101702  4 ehci_hcd,xhci_hcd,usb_storage
    nf_nat_pptp             1602  0
    nf_conntrack_pptp       3355  1 nf_nat_pptp
    nf_nat_proto_gre         887  1 nf_nat_pptp
    nf_conntrack_proto_gre     3228  1 nf_conntrack_pptp
    nf_nat_ftp              1144  0
    nf_conntrack_ftp        4909  1 nf_nat_ftp
    nf_nat_sip              5031  0
    nf_conntrack_sip       15713  1 nf_nat_sip
    nf_nat_h323             4761  0
    nf_conntrack_h323      33807  1 nf_nat_h323
    wl                   3925788  0
    et                     61325  0
    igs                    11887  1 wl
    emf                    14973  2 wl,igs
     
  88. Sean B.

    Sean B. LI Guru Member

    So they load, but are not doing what they're supposed to. @kille72 , any updates or changes to netfilter or iptables that you recall?
     
  89. kille72

    kille72 LI Guru Member

    Last edited: Feb 5, 2018
  90. kille72

    kille72 LI Guru Member

    Downgraded to version 132 by Shibby (Single WAN) and cleared NVRAM. FTP server works only on port 21 from outside!
     
  91. Solace50

    Solace50 Connected Client Member

    Reply: 227 Entering Passive Mode (192,168,1,1,239,212).

    Error: Server returned unroutable private IP address in PASV reply

    Appears you are correct, I must of accidentally been hitting the private IP again on DNS resolution :/
     
  92. kille72

    kille72 LI Guru Member

  93. Sean B.

    Sean B. LI Guru Member

    kille72 likes this.
  94. Sean B.

    Sean B. LI Guru Member

    @kille72 , give something a try for me. Start FTP server as I described before. WAN+LAN / PORT 2121 / user test etc. Make sure you do not have eibgrads script active. Then run:

    Code:
    iptables -t filter --list-rules INPUT
    Verify an accept line exists for --dport 2121

    Then run
    Code:
    iptables -t nat --list-rules
    And look for any lines for DNAT on --dport 2121

    Remove any you find via
    Code:
    iptables -t nat -D *chain* *number*
    Where *chain* is the chain containing the rule, IE: WANPREROUTING , and *number* is the line number of the rule as counted down from the top rule in the chain.

    Test access from WAN.
     
    Last edited: Feb 5, 2018
  95. kille72

    kille72 LI Guru Member

    Code:
    # iptables -t filter --list-rules INPUT
    -P INPUT DROP
    -A INPUT -i tap21 -j ACCEPT
    -A INPUT -p udp -m udp --dport 1194 -j ACCEPT
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j shlimit
    -A INPUT -p tcp -m tcp --dport 23 -m state --state NEW -j shlimit
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i br0 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 2121 -j ACCEPT
    Code:
    # iptables -t nat --list-rules
    -P PREROUTING ACCEPT
    -P INPUT ACCEPT
    -P OUTPUT ACCEPT
    -P POSTROUTING ACCEPT
    -N WANPREROUTING
    -A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
    -A PREROUTING -d xxx.217.9.xxx/32 -j WANPREROUTING
    -A POSTROUTING -o vlan2 -j MASQUERADE
    -A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j SNAT --to-source 192.168.1.1
    -A WANPREROUTING -p icmp -j DNAT --to-destination 192.168.1.1
    -A WANPREROUTING -p tcp -m tcp --dport 50101 -j DNAT --to-destination 192.168.1.101
    -A WANPREROUTING -p udp -m udp --dport 50101 -j DNAT --to-destination 192.168.1.101
    -A WANPREROUTING -p tcp -m tcp --dport 2121 -j DNAT --to-destination 192.168.1.1
    
    root@Asus:/tmp/home/root# iptables -t nat -D WANPREROUTING 13
    iptables: Index of deletion too big.
    What am I doing wrong?
     
  96. Sean B.

    Sean B. LI Guru Member

    That would be rule number 4 . The count starts by each chain.
     
  97. kille72

    kille72 LI Guru Member

    Bingo! You cracked it fast! :D

    Code:
    # iptables -t filter --list-rules INPUT
    -P INPUT DROP
    -A INPUT -i tap21 -j ACCEPT
    -A INPUT -p udp -m udp --dport 1194 -j ACCEPT
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j shlimit
    -A INPUT -p tcp -m tcp --dport 23 -m state --state NEW -j shlimit
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i br0 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 2121 -j ACCEPT
    
    root@Asus:/tmp/home/root# iptables -t nat --list-rules
    -P PREROUTING ACCEPT
    -P INPUT ACCEPT
    -P OUTPUT ACCEPT
    -P POSTROUTING ACCEPT
    -N WANPREROUTING
    -A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
    -A PREROUTING -d xxx.217.9.xxx/32 -j WANPREROUTING
    -A POSTROUTING -o vlan2 -j MASQUERADE
    -A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j SNAT --to-source 192.168.1.1
    -A WANPREROUTING -p icmp -j DNAT --to-destination 192.168.1.1
    -A WANPREROUTING -p tcp -m tcp --dport 50101 -j DNAT --to-destination 192.168.1.101
    -A WANPREROUTING -p udp -m udp --dport 50101 -j DNAT --to-destination 192.168.1.101
    -A WANPREROUTING -p tcp -m tcp --dport 2121 -j DNAT --to-destination 192.168.1.1
    
    root@Asus:/tmp/home/root# iptables -t nat -D WANPREROUTING 4
    
    root@Asus:/tmp/home/root# iptables -t nat --list-rules
    -P PREROUTING ACCEPT
    -P INPUT ACCEPT
    -P OUTPUT ACCEPT
    -P POSTROUTING ACCEPT
    -N WANPREROUTING
    -A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
    -A PREROUTING -d xxx.217.9.xxx/32 -j WANPREROUTING
    -A POSTROUTING -o vlan2 -j MASQUERADE
    -A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j SNAT --to-source 192.168.1.1
    -A WANPREROUTING -p icmp -j DNAT --to-destination 192.168.1.1
    -A WANPREROUTING -p tcp -m tcp --dport 50101 -j DNAT --to-destination 192.168.1.101
    -A WANPREROUTING -p udp -m udp --dport 50101 -j DNAT --to-destination 192.168.1.101
    Code:
    Feb  5 21:46:21 Asus ftp.info vsftpd[3054]: [test] OK LOGIN: Client "xxx.185.95.xxx"
    Feb  5 21:46:21 Asus ftp.info vsftpd[3056]: [test] FTP response: Client "83.185.95.108", "230 Login successful."
    Feb  5 21:46:21 Asus ftp.info vsftpd[3056]: [test] FTP command: Client "xxx.185.95.xxx", "SYST"
    Feb  5 21:46:21 Asus ftp.info vsftpd[3056]: [test] FTP response: Client "xxx.185.95.xxx", "215 UNIX Type: L8"
    Feb  5 21:46:21 Asus ftp.info vsftpd[3056]: [test] FTP command: Client "xxx.185.95.xxx", "PWD"
    Feb  5 21:46:21 Asus ftp.info vsftpd[3056]: [test] FTP response: Client "xxx.185.95.xxx", "257 "/" is the current directory"
    Feb  5 21:46:21 Asus ftp.info vsftpd[3056]: [test] FTP command: Client "xxx.185.95.xxx", "TYPE I"
    Feb  5 21:46:21 Asus ftp.info vsftpd[3056]: [test] FTP response: Client "xxx.185.95.xxx", "200 Switching to Binary mode."
    Feb  5 21:46:21 Asus ftp.info vsftpd[3056]: [test] FTP command: Client "xxx.185.95.xxx", "SIZE /"
    Feb  5 21:46:21 Asus ftp.info vsftpd[3056]: [test] FTP response: Client "xxx.185.95.xxx", "550 Could not get file size."
    Feb  5 21:46:21 Asus ftp.info vsftpd[3056]: [test] FTP command: Client "xxx.185.95.xxx", "CWD /"
    Feb  5 21:46:21 Asus ftp.info vsftpd[3056]: [test] FTP response: Client "xxx.185.95.xxx", "250 Directory successfully changed."
    Feb  5 21:46:21 Asus ftp.info vsftpd[3056]: [test] FTP command: Client "xxx.185.95.xxx", "PASV"
    Feb  5 21:46:21 Asus ftp.info vsftpd[3056]: [test] FTP response: Client "xxx.185.95.xxx", "227 Entering Passive Mode (84,217,9,75,183,59)."
    Feb  5 21:46:21 Asus ftp.info vsftpd[3056]: [test] FTP command: Client "xxx.185.95.xxx", "LIST -l"
    Feb  5 21:46:21 Asus ftp.info vsftpd[3056]: [test] FTP response: Client "xxx.185.95.xxx", "150 Here comes the directory listing."
    Feb  5 21:46:21 Asus ftp.info vsftpd[3056]: [test] FTP response: Client "xxx.185.95.xxx", "226 Directory send OK."
    Feb  5 21:46:21 Asus ftp.info vsftpd[3056]: [test] FTP command: Client "xxx.185.95.xxx", "QUIT"
    Feb  5 21:46:21 Asus ftp.info vsftpd[3056]: [test] FTP response: Client "xxx.185.95.xxx", "221 Goodbye."
    Screenshot_20180205-214639.png
     
  98. Sean B.

    Sean B. LI Guru Member

    How ironic, not only was nat a bandaid to cover the real problem, it was also the problem to begin with. I'll provide a detailed explanation and patch when I'm home tonight.
     
    kille72 likes this.
  99. kille72

    kille72 LI Guru Member

    Nice work!
     
  100. Sean B.

    Sean B. LI Guru Member

    Thank you Sir.
     
    kille72 likes this.

Share This Page