9

Computer A (assumed that ip is 44.44.44.44)can ftp the host 130.89.148.12.

ftp 130.89.148.12
Connected to 130.89.148.12.
220 ftp.debian.org FTP server
Name (130.89.148.12:debian8): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

Computer B (my local pc) can not ftp the host 130.89.148.12. Let's build a ssh tunnel with ssh command this way:

ssh -L -f -N localhost:2121:130.89.148.12:21   root@44.44.44.44

The ssh tunnel between my local pc and Computer A (44.44.44.44) was connected after password to login into 44.44.44.44.
Then to input the command on my local pc console:

ftp  localhost:2121
ftp: localhost:2121: Name or service not known

What is the matter with my ssh tunnel?

Think to chexum, the right ftp command is ftp localhost 2121 But new problem. enter image description here

Gilles 'SO- stop being evil'
  • 829,060
showkey
  • 323
  • 2
    Check your ftp(1) manpage on how to specify a port. It's usually separated by a space (not a colon), or as a -p option. You'll also need to make sure to use passive ftp, so check the manual first. – chexum Dec 25 '15 at 13:35
  • 2
    Please do not place text as pictures. – Rui F Ribeiro Dec 25 '15 at 16:27

1 Answers1

16

Your approach is not taking in account that contrary to other common protocols, FTP uses both port 20 and port 21 over TCP by default.

The term passive refers that the protocol is slightly better behaved than the initial implementations.

Here is a link:

http://www.slacksite.com/other/ftp.html

Port 20/TCP is used for data, and port 21/TCP for commands.

In Unix, also privileged ports < 1024, only can be bound by root.

So either you do:

sudo ssh -f -N -L 20:130.89.148.12:20 -L 21:130.89.148.12:21 user@44.44.44.44

This way you do not give any extra port, and only use it with 

ftp -p localhost

or if you do not have root:

ssh -f -N -L 2120:130.89.148.12:20 -L 2121:130.89.148.12:21 user@44.44.44.44

and then use:

ftp -p -P 2121 localhost

From man ftp http://linux.die.net/man/1/ftp

-p passive mode
-P port

or if with a version of ftp that does not support -P (Debian 9/Ubuntu 16.04):

ftp -p localhost 2121

I will also leave a link to "SSH tunnels local and remote port forwarding explained"

http://blog.trackets.com/2014/05/17/ssh-tunnel-local-and-remote-port-forwarding-explained-with-examples.html

Lastly, I would advise on not using root in the remote system for ssh connections. root is a very powerful account, and should only be reserved for system administration.

Furthermore, in many modern Linuxes ssh remote login as root comes disabled by default.

Why is root login via SSH so bad that everyone advises to disable it?

Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232
  • 4
    What? The data connection does not use port 20; it uses a random port >1024. Also ftp does not appear to have a -P option, at least not on Ubuntu 16.04. Thus you can not forward ftp with ssh since you don't know what random port will be chosen when the data connection is established ( and you get a different one for each file transferred or each time you ls ). – psusi Mar 15 '18 at 17:40
  • Nope, the server listens on an ephemeral port as well. It has to since it can be serving multiple clients and if it used port 20 for each of them, it would have no idea which one corresponded to which control session. – psusi Mar 15 '18 at 17:58
  • I printed out the FTP RFC on my dot matrix printer and studied it when I was 16. I figured out that you can issue a PASV command to one server, then a PORT command to the other server with the IP address and port number from the PASV response from the other server and get them to send the file directly from one server to the other instead of having to download and upload it myself over my 28.8kbps modem. Later a program called FXP came out that could do that, and I also wrote my own FTP server software for WinNT that blew the pants off of anything else. Go look at a PASV reply yourself. – psusi Mar 15 '18 at 18:02
  • You are confused. It listens on port 21, not 20. You connect to the server on port 21, then either issue a PORT command, telling the server what IP and port number it should connect to, or a PASV command, in which case it starts listening for the data connection on an ephemeral port, and specifies which port that is in the reply. From a quote pasv command to ftp.gnu.org: "227 Entering Passive Mode (208,118,235,20,96,222)". Note that the server is listening on port 96,222, or 24,798. – psusi Mar 15 '18 at 18:11
  • @psusi You are right, I am indeed confused. Thanks. Cannot delete accepted answer. Hmmm. – Rui F Ribeiro Mar 15 '18 at 18:19
  • 2
    Why not edit it so that it is correct? – psusi Mar 22 '18 at 00:03
  • To clarify there's a port 20 (or more precisely: control port - 1: 21-1=20) involved, but it's not useful. It's used as source port from server, not destination, in active mode (PORT). Nothing ever listens on port 20. That's in RFC 959 ch 3.2: L-1 (with L=21). – A.B Sep 20 '20 at 12:56
  • So is the answer that it's not possible? Or is there a workaround (e.g. port forward a huge chunk of ports)? – falsePockets Aug 12 '21 at 23:17
  • This answer uses PuTTY local SOCKS server, which will implicitly do port forwarding of any port: https://superuser.com/a/426310/1360183 (PuTTY is Windows program however, I don't know if there is analogous Unix solution.) – user14967413 Sep 23 '21 at 13:28