Tomato FTP change WAN port and allowing all IP addresses


S

Solace50

Networkin' Nut
Member
Two things trying to be achieved,

Firstly WAN ftp access on a different port aside from 21, it appears if changed to something else than 21 then the directories are not listed despite a login is attempted. Port 21 seems to work fine, I guess I could edit the iptables for this?

Second is for allowing any IP, ive tried 0.0.0.0/0 which removes the /0. I'm fully aware of what this does and I will be having multiple dynamic ip's for a short duration and nothing crucial is on the device/network. Is the syntax different for allowing any with vsftpd? I checked the iptables for this as well and tried to manually apply the change and reload the firewall but it just corrects the entry and appears to not work.
 
Solace50 said:
Two things trying to be achieved,

Firstly WAN ftp access on a different port aside from 21, it appears if changed to something else than 21 then the directories are not listed despite a login is attempted. Port 21 seems to work fine, I guess I could edit the iptables for this?

Second is for allowing any IP, ive tried 0.0.0.0/0 which removes the /0. I'm fully aware of what this does and I will be having multiple dynamic ip's for a short duration and nothing crucial is on the device/network. Is the syntax different for allowing any with vsftpd? I checked the iptables for this as well and tried to manually apply the change and reload the firewall but it just corrects the entry and appears to not work.
Click to expand...
Unable to reproduce your port issue. In the web interface under USB and NAS->FTP Server, setting "Enable FTP Server" to "Yes, WAN and LAN", and "FTP Port" to 2222 I was able to connect via remote client ( cell phone ) to my WAN IP on port 2222 and list the directory of the user. Note that there are directory options depending on what form of authentication is used. As for allowing any remote IP, simply leave the "Allowed remote address(es)" box empty.
 
Hmm, never knew that unless an address is defined that tomato allows all, I could have sworn I left it empty initially and was unable to connect. At the moment I just use a DNS to allow access. I guess it could be nvram specific issue despite it was cleared or a conflicting configuration/port in use though the router showed nothing else bound to the port. Could i just ask what build you are currently on yourself? Ill try with a fresh install and see if something specific is causing it.

Mine would be this for the ea6900
1.28.0000 -2017.3b13-kille72- K26ARM USB AIO-64K
 
Clearing the IP addresses appears to have worked for the access, will fiddle with the port setting and see if it continues as well.
 
It appears I can establish a connection on other ports, though when reading the directory of the FTP a timeout still occurs.

Timeout detected. (control connection)
Could not retrieve directory listing
Error listing directory '/'.

The path should be /tmp/mnt/media/ being retrieved though for the specified user path, default paths should be the same as well regardless of auth type.
 
Ah nvm, it has to do with the client and using different ports/windows defender firewall, I just realized there was a rule in place blocking the request on the affected machines. Thanks though.

Edit: I lied it still occurs, I tried from my android device with andftp of which can also connect. In active mode I get a 500 illegal port error, in passive mode it connects but fails to list the directory. The last output message in andftp is Replacing 192.168.1.1 with the WAN IP address of the ftp

Seems fairly accurate to the situation,
https://support.microsoft.com/en-us/help/281193/ftp-error-500-invalid-port-command
 
Last edited:
uc

uc

uc
 
all tests were done externally, either through cell or vpn on another laptop or even rdp, I confused myself thinking it was working since I did the connection without the vpn being active once. The hostname will resolve to the lan ip since im using a DNS and not the direct ip (which was used after to avoid the confusion). Ill play around with it come the next update as I cant think of anything else to check myself at the moment.
 
Last edited:
If anyone else tries the same thing, its the bug of using an external port aside from 21 is exclusive to 1.28.0000 -2017.3b13-kille72- K26ARM USB AIO-64K, any other build of tomato seems unaffected and there is no newer builds to test to see if the issue was remediated.
2017.2 is unaffected from my testing. I cant see to find a changelog between the two builds else I would try to poke around a bit more.
 
i can't confirm the issue.
i'm on kille72 2017.3 with a ftpserver i configured a long time ago. using andftp on my phone i can connect as well locally with a private ip address as well remotely by a public address, in both cases using a fqdn and port 21021.
i also can connect over openvpn either using a fqdn or the private ip address.
 
fqdn is a domain being resolved, that would likely resolve to the private address unless tunneling to a vpn.
 
yes, the ftp server address is resolved by dnsmasq to a private local address when using the lan, and the ftp server is resolved global with a public address by any dns server when resolved from the wan. the vpn is configured using the dnsmasq dns server when the tunnel is up.
so i can always use the fqdn when using the ftp server. i checked the vsftpd log files and they are using the right ip addresses.
 
Solace50 said:
If anyone else tries the same thing, its the bug of using an external port aside from 21 is exclusive to 1.28.0000 -2017.3b13-kille72- K26ARM USB AIO-64K, any other build of tomato seems unaffected and there is no newer builds to test to see if the issue was remediated.
2017.2 is unaffected from my testing. I cant see to find a changelog between the two builds else I would try to poke around a bit more.
Click to expand...
Changelog:
https://bitbucket.org/kille72/tomato-arm-kille72/commits/tag/v2017.3

I have the same problem with 2017.3, are you 100% sure that it works with version 2017.2?
 
Are you still running the affected version? If so, with FTP enabled on a port other than 21, could you run these commands separately:

Code: 
cat /etc/vsftpd.conf
iptables -t filter --list-rules
iptables -t nat --list-rules
netstat -an

and post the output please? Feel free to X out parts of your public IP if you don't want it showing.
 
Sean B. said:
Are you still running the affected version? If so, with FTP enabled on a port other than 21, could you run these commands separately:

Code: 
cat /etc/vsftpd.conf
iptables -t filter --list-rules
iptables -t nat --list-rules
netstat -an

and post the output please? Feel free to X out parts of your public IP if you don't want it showing.
Click to expand...

Version 2018.1.016

Code: 
# cat /etc/vsftpd.conf
anonymous_enable=no
dirmessage_enable=yes
download_enable=no
dirlist_enable=no
hide_ids=yes
syslog_enable=yes
local_enable=yes
local_umask=022
chmod_enable=no
chroot_local_user=yes
check_shell=no
log_ftp_protocol=no
user_config_dir=/etc/vsftpd.users
passwd_file=/etc/vsftpd.passwd
listen=yes
listen_ipv6=no
listen_port=2121
background=yes
isolate=no
max_clients=0
max_per_ip=0
max_login_fails=1
idle_session_timeout=300
use_sendfile=no
anon_max_rate=0
local_max_rate=0

Code: 
# iptables -t filter --list-rules
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N shlimit
-N wanin
-N wanout
-A INPUT -i tap21 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j shlimit
-A INPUT -p tcp -m tcp --dport 23 -m state --state NEW -j shlimit
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2121 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 51515 -j ACCEPT
-A FORWARD -i tap21 -j ACCEPT
-A FORWARD -m account--aaddr 192.168.1.0/255.255.255.0 --aname lan
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i vlan2 -j wanin
-A FORWARD -o vlan2 -j wanout
-A FORWARD -i br0 -j ACCEPT
-A shlimit -m recent --set --name shlimit --rsource
-A shlimit -m recent --update --seconds 60 --hitcount 3 --name shlimit --rsource -j DROP
-A wanin -d 192.168.1.101/32 -p tcp -m tcp --dport 50101 -j ACCEPT
-A wanin -d 192.168.1.101/32 -p udp -m udp --dport 50101 -j ACCEPT

Code: 
# iptables -t nat --list-rules
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N WANPREROUTING
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -d xx.217.9.xx/32 -j WANPREROUTING
-A POSTROUTING -o vlan2 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j SNAT --to-source 192.168.1.1
-A WANPREROUTING -p icmp -j DNAT --to-destination 192.168.1.1
-A WANPREROUTING -p tcp -m tcp --dport 50101 -j DNAT --to-destination 192.168.1.101
-A WANPREROUTING -p udp -m udp --dport 50101 -j DNAT --to-destination 192.168.1.101
-A WANPREROUTING -p tcp -m tcp --dport 2121 -j DNAT --to-destination 192.168.1.1

Code: 
# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:9091            0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:40            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:2121            0.0.0.0:*               LISTEN
tcp        0      0 192.168.1.1:139         0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:51515           0.0.0.0:*               LISTEN
tcp        0      0 192.168.1.1:443         0.0.0.0:*               LISTEN
tcp        0      0 192.168.1.1:445         0.0.0.0:*               LISTEN
tcp        0     64 192.168.1.1:22          192.168.1.101:63665     ESTABLISHED
tcp        0      0 192.168.1.1:445         192.168.1.101:59270     ESTABLISHED
tcp        0      0 :::53                   :::*                    LISTEN
tcp        0      0 :::22                   :::*                    LISTEN
tcp        0      0 :::23                   :::*                    LISTEN
tcp        0      0 :::51515                :::*                    LISTEN
udp        0      0 xx.217.9.xx:6153        xx.217.9.xx:5351         ESTABLISHED
udp        0      0 0.0.0.0:42000           0.0.0.0:*
udp        0      0 127.0.0.1:40            0.0.0.0:*
udp        0      0 xx.217.9.xx:52266       xx.217.9.xx:5351         ESTABLISHED
udp        0      0 0.0.0.0:53              0.0.0.0:*
udp        0      0 0.0.0.0:51515           0.0.0.0:*
udp        0      0 0.0.0.0:67              0.0.0.0:*
udp        0      0 0.0.0.0:38000           0.0.0.0:*
udp        0      0 192.168.1.255:137       0.0.0.0:*
udp        0      0 192.168.1.1:137         0.0.0.0:*
udp        0      0 0.0.0.0:137             0.0.0.0:*
udp        0      0 192.168.1.255:138       0.0.0.0:*
udp        0      0 192.168.1.1:138         0.0.0.0:*
udp        0      0 0.0.0.0:138             0.0.0.0:*
udp        0      0 127.0.0.1:38032         0.0.0.0:*
udp        0      0 0.0.0.0:36078           0.0.0.0:*
udp        0      0 0.0.0.0:43000           0.0.0.0:*
udp        0      0 :::53                   :::*
udp        0      0 :::1194                 :::*
raw        0      0 0.0.0.0:255             0.0.0.0:*               7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  10     [ ]         DGRAM                    293    /dev/log
unix  2      [ ACC ]     STREAM     LISTENING     1148   /var/nmbd/unexpected
unix  3      [ ]         STREAM     CONNECTED     4241
unix  3      [ ]         STREAM     CONNECTED     4240
unix  3      [ ]         STREAM     CONNECTED     4238
unix  3      [ ]         STREAM     CONNECTED     4237
unix  3      [ ]         STREAM     CONNECTED     3879
unix  3      [ ]         STREAM     CONNECTED     3878
unix  3      [ ]         STREAM     CONNECTED     3876
unix  3      [ ]         STREAM     CONNECTED     3875
unix  2      [ ]         DGRAM                    3653
unix  3      [ ]         STREAM     CONNECTED     3312
unix  3      [ ]         STREAM     CONNECTED     3311
unix  2      [ ]         DGRAM                    3310
unix  2      [ ]         DGRAM                    3295
unix  2      [ ]         DGRAM                    3018
unix  2      [ ]         DGRAM                    2194
unix  2      [ ]         DGRAM                    971
unix  2      [ ]         DGRAM                    765
unix  2      [ ]         DGRAM                    295
 
Did you add a user? If not, add one, login as that user and try listing the directory.

Default config:

kille72 said:
dirlist_enable=no
Click to expand...

This appears to be the case even when " Directory listings " is enabled in the GUI.

When user " test " is added, it creates an entry in /etc/vsftpd.users

Code: 
root@Storage:/tmp/etc/vsftpd.users# ls
test
root@Storage:/tmp/etc/vsftpd.users# cat test
dirlist_enable=yes
download_enable=yes
write_enable=yes
root@Storage:/tmp/etc/vsftpd.users#

Note the:
dirlist_enable=yes
 
You must log in or register to reply here.

Back
Top