Your best friend for file transfer.

Fetch application logoFetch

500 I won't open a connection to 192.168.1.xxx (only to {my external IP address}) (5 posts)

  • Started 4 years ago by Rob
  • Latest reply 4 years ago from Rob
  • Rob Member

    Hi,

    Having trouble connecting to a site that I have connected to before but no longer.

    I am behind a firewall and running on internal IP address with NAT to a single external IP.

    When I try to connect to the site, the FTP connection is made OK, the problem comes when trying to establish the passive mode connection for the data transfer - see transcript below:-

    Connecting to magnetar.servers.prgn.misp.co.uk port 21 (Mac OS X firewall is allowing connections) (2020-01-22T16:25:39Z)
    Connected to 31.170.121.111 port 21 (2020-01-22T16:25:39Z)
    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    220-You are user number 1 of 50 allowed.
    220-Local time is now 16:25. Server port: 21.
    220-This is a private system - No anonymous login
    220-IPv6 connections are also welcome on this server.
    220 You will be disconnected after 15 minutes of inactivity.
    AUTH TLS
    234 AUTH TLS OK.
    USER user@mydomain.org.uk
    331 User user@mydomain.org.uk OK. Password required
    PASS
    230 OK. Current restricted directory is /
    PBSZ 0
    200 PBSZ=0
    PROT P
    200 Data protection level set to "private"
    SYST
    215 UNIX Type: L8
    PWD
    257 "/" is your current location
    CWD public_html/
    250 OK. Current directory is /public_html
    PWD
    257 "/public_html" is your current location
    TYPE A
    200 TYPE is now ASCII
    PASV
    227 Entering Passive Mode (31,170,121,111,199,152)
    Making data connection to 31.170.121.111 port 51096
    ABOR
    FTP::ftp_abort() FTP_ABOR_SENT_CMD TickCount() = 62497694 reply_received = 62497694 TickCount() - reply_received = 0
    FTP::ftp_abort() FTP_ABOR_SENT_CMD TickCount() = 62497694 reply_received = 62497694 TickCount() - reply_received = 0
    FTP::ftp_abort() FTP_ABOR_SENT_CMD TickCount() = 62497694 reply_received = 62497694 TickCount() - reply_received = 0
    226 Since you see this ABOR must've succeeded
    PORT 192,168,1,128,233,246
    500 I won't open a connection to 192.168.1.128 (only to 86.156.27.55)
    ftp_list: 2,-30037 (state == GETTING_LIST)
    Fetch could not get the file list because there was a timeout trying to establish a passive mode data connection. (A server firewall might be blocking passive mode (PASV) transfers. Please ask the server administrator for help.)

    Fetch is receiving the IP and port instruction (227 Entering Passive Mode (31,170,121,111,199,152)) and attempting to connect to the specified port - however, the remote server is refusing to open the connection since the source IP address is the internal IP address and not the external address of the host the server believes it is talking to.

    Same behaviour in FileZilla - so this is sort of a problem with the server I am trying to connect to.

    However, as they are a large web hosting company...........

    Any way to get around this or do I just have to use cPanel for all file transfers to this site from now on?

    Any thoughts much appreciated.

    Rob

    Posted 4 years ago #

  • Jim Matthews Administrator

    Hi,

    It looks like they don't support either active or passive FTP. You might check whether they support SFTP.

    Thanks,

    Jim Matthews
    Fetch Softworks

    Posted 4 years ago #

  • Rob Member

    Hi,

    Tried FTP and SFTP - neither allowed.

    Strange it logs on fine with FTP with TLS but not possible to establish a data connection.

    Looks like the remote host will only talk to the external IP address associated with the attempt to connect whilst Fetch is reporting the internal IP address of the machine it is sitting on.

    Any way to spoof the external IP address in the connection conversation?

    If I had an IP address range I could set up a 1-to-1 NAT with the machine I am using but I am not even sure that would work with Passive since fetch is telling the world that it is on an internal IP address - maybe it has to do that? - would not change with 1-to-1 NAT. (Active mode may work though).

    Any thoughts.

    Rob

    Posted 4 years ago #

  • Jim Matthews Administrator

    Hi,

    In passive mode FTP data connections go from your Mac to the server. So the server tells Fetch where to connect (in the transcript above it says to connect to 31.170.121.111 port 51096), and Fetch makes the connection. But the server is giving Fetch an address and port number that for some reason Fetch can't connect to.

    In active mode FTP the data connection goes from the server to the Mac, so Fetch tells the server where to connect. But Fetch is behind a NAT, and doesn't know its public IP address. So Fetch tells the server (with the PORT command) to connect to its private IP address, and counts on the NAT gateway to replace the private IP address with the public one. That trick doesn't work here because you are using "FTP with TLS/SSL", so the PORT command is sent over an encrypted connection, and the NAT gateway can't detect or modify the PORT command.

    In summary: for FTP with TLS/SSL (aka FTPS) logins, passive mode FTP is the only game in town. And apparently this server does not support it.

    Jim Matthews
    Fetch Softworks

    Posted 4 years ago #

  • Rob Member

    Hi,

    Thanks - all understood now.

    Had missed the bit that the PORT command for the passive mode connection goes over the encrypted connection.

    Also discovered that a number of FTP servers are easy to mis-configure so that they offer a wider range of connection ports than are open on their firewall.

    Think that is probably happening in this case since I can connect occasionally when lower port numbers are specified by the server.

    Thanks again.

    Rob

    Posted 4 years ago #

Reply

  • Or nickname, if you prefer.
  • This will be kept confidential.
  • This is to ensure that you’re a person, not a spambot.