Re: [ILUG-BOM] ftp error: 500 invalid port connection - Linuxers

22 Dec 2007


      On 12/22/07, Benoy George bgenix@gmail.com wrote:
...
-------- Original Message  --------
Subject: [ILUG-BOM] ftp error: 500 invalid port connection
From: Agnello George agnello.dsouza@gmail.com
To: GNU/Linux Users Group, Mumbai, India linuxers@mm.glug-bom.org
Date: Friday 14 December 2007 04:58:39 PM IST
...
HI
I am trying to access a ftp server . I am able to connect to it with the
user name and password. However when i connect to the server and do a dir i
get the following error.
C:\Documents and Settings\Admin>ftp XXX.XXX.XXX.XXX
Connected to XXX.XXX.XXX.XXX
220 Microsoft FTP Service
User (XXX.XX.XXX.XXX:(none)): user-name
331 Password required for user-name
Password:
230 User user-name logged in.
ftp> dir
500 Invalid PORT Command.
150 Opening ASCII mode data connection for /bin/ls.
I got a fire wall running and i have opened port 21, The entry in the
iptables is as follows .
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j
ACCEPT
why am i getting the error ?? when i am able to ftp to other ftp site with
out authentication ( like ftp://202.96.64.144/pub/ )
Thanks !!
Sorry for the late reply, since I am not marking to the list.
 From your previous thread I have noticed that you have not
added ftp-data port(20) to the policy.
see
$cat /etc/services | grep -i ^ftp
on your linux machine.
and try with
#modprobe ip_conntrack_ftp
But still sometime we are getting errors with ftp service from
M$ platforms.
best regards
Benoy
Thanks for all the answers but here is what i did
Passive ftp
A PORT command is again issued, but this time it is from the server to
the client. The client connects to the server for data transfer. Since
the connection is in the same sense as the original ftp connection,
passive ftp is inherently more secure than active ftp, but note that
this time we know even less about the port numbers. Now we have a
connection between almost arbitrary port numbers.
Enter the ip_conntrack_ftp module once more. Again, this module is
able to recognize the PORT command and pick-out the port number.
Instead of NEW in the state match for the OUTPUT chain, we can use
RELATED. The following rules will suffice:
iptables -A INPUT     -p tcp --sport 1024: --dport 1024:  -m state
--state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024:  -m state
--state ESTABLISHED,RELATED -j ACCEPT
add the following to the kernel
modprobe ip_nat_ftp
-- 
Agnello . G .Dsouza