I'm running a IIS FTP server from a Windows 10 enterprise box. Windows firewall is disabled.
problem is that clients can't connect to the FTP server thru the router (aka if I type the router's IP or the WAN address.
Error from client is the following:
Status: Connecting to 71.197.148.35:8889...
Status: Connection established, waiting for welcome message...
Status: Insecure server, it does not support FTP over TLS.
Status: Logged in
Status: Retrieving directory listing...
Status: Server sent passive reply with unroutable address. Using server address instead.
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: The data connection could not be established: ECONNREFUSED - Connection refused by server
I CAN connect if I connect to it if I use the Windows Box's assigned IP address.
I've opened TCP and UDP ports 8889 in DDWRT and forwarded to the windows IIS Box. Data ports (5000-6000 are also open and configured in IIS).
I can do an open port check using the WAN address and it's open.
I'm not completely sure it's a DDWRT problem, but I wanted to rule it out.
Firewall commands:
---------------------
BH_SCRIPT="/tmp/blocking_hosts.sh"
BH_WHITELIST="/tmp/blocking_hosts.whitelist"
logger "Download blocking hosts file and restart dnsmasq ..."
# Create whitelist. The whitelist entries will be removed from the
# hosts files, i.e. blacklist files.
cat > "$BH_WHITELIST" <<EOF
localhost\\.localdomain
local
invalid
whitelist-example\\.com
.*\\.whitelist-example\\.com
EOF
# Create download script.
cat > "$BH_SCRIPT" <<EOF
#!/bin/sh
# Function: clean_hosts_file [file ...]
clean_hosts_file() {
# The sed script cleans up the file.
# The awk script groups the hosts by ten items.
sed -e '/^127.0.0.1/b replace;
/^0.0.0.0/b replace;
:drop;
d; b;
:replace;
s/^0.0.0.0[[:space:]]*//;
s/^127.0.0.1[[:space:]]*//;
s/[[:space:]]*#.*\$//;
s/[[:space:]]*\$//;
s/[[:space:]][[:space:]]*/ /;
/^localhost\$/b drop;
/^[[:space:]]*\$/b drop;' \$* | \\
awk 'BEGIN {
# Read whitelist file.
n_whitelist = 0
while ( getline < "$BH_WHITELIST" ) {
if ( \$0 == "" ) {
break
}
else {
a_whitelist[++n_whitelist] = \$0
}
}
close("$BH_WHITELIST")
# Setup record sparator.
RS=" +"
c = 0
}
{
for ( n = 1; \$n != ""; n++ ) {
# Check whitelist.
whitelist_flag = 0
for ( w = 1; w <= n_whitelist; w++ ) {
if ( \$n ~ ( "^" a_whitelist[w] "\$" ) ) {
whitelist_flag = 1
break
}
}
if ( whitelist_flag == 0 ) {
hosts[++c] = \$n
if ( c == 10 ) {
s_hosts = "0.0.0.0"
for ( i = 1; i <= c; i++ ) {
s_hosts = s_hosts " " hosts[i]
}
print s_hosts
c = 0
}
}
}
}
END {
if ( c > 0 ) {
s_hosts = "0.0.0.0"
for ( i = 1; i <= c; i++ ) {
s_hosts = s_hosts = s_hosts " " hosts[i]
}
print s_hosts
}
}'
}
# Function: wait_for_connection
wait_for_connection() {
# Wait for an Internet connection.
# This possibly could take a long time.
while :; do
ping -c 1 -w 10 www.freebsd.org > /dev/null 2>&1 && break
sleep 10
done
}
# Set lock file.
LOCK_FILE="/tmp/blocking_hosts.lock"
# Check lock file.
if [ ! -f "\$LOCK_FILE" ]; then
sleep \$((\$\$ % 5 + 5))
[ -f "\$LOCK_FILE" ] && exit 0
echo \$\$ > "\$LOCK_FILE"
# Start downloading files.
HOSTS_FILE_NUMBER=1
[ -d "/tmp/blocking_hosts" ] || mkdir "/tmp/blocking_hosts"
for URL in "http://winhelp2002.mvps.org/hosts.txt" \\
"http://someonewhocares.org/hosts/zero/hosts" \\
"http://jansal.googlecode.com/svn/trunk/adblock/hosts" \\
"http://adblock.gjtech.net/?format=hostfile" \\
"http://www.hostsfile.org/Downloads/hosts.txt"; do
HOSTS_FILE="/tmp/blocking_hosts/hosts\`printf '%02d' \$HOSTS_FILE_NUMBER\`"
logger "Downloading \$URL ..."
REPEAT=1
while :; do
# Wait for internet connection.
wait_for_connection
START_TIME=\`date +%s\`
# Create process to download a hosts file.
wget -O - "\$URL" 2> /dev/null > "\${HOSTS_FILE}.tmp" &
WGET_PID=\$!
WAIT_TIME=\$((\$REPEAT * 10 + 20))
# Create timeout process.
( sleep \$WAIT_TIME; kill -TERM \$WGET_PID ) &
TIMEOUT_PID=\$!
wait \$WGET_PID
CURRENT_RC=\$?
kill -KILL \$TIMEOUT_PID
STOP_TIME=\`date +%s\`
if [ \$CURRENT_RC = 0 ]; then
clean_hosts_file "\${HOSTS_FILE}.tmp" > "\$HOSTS_FILE"
rm "\${HOSTS_FILE}.tmp"
break
fi
# In the case of an error: wait the remaining time.
TIME_SPAN=\$((\$STOP_TIME - \$START_TIME))
WAIT_TIME=\$((\$WAIT_TIME - \$TIME_SPAN))
[ \$WAIT_TIME -gt 0 ] && sleep \$WAIT_TIME
# Increase the number of repeats.
REPEAT=\$((\$REPEAT + 1))
[ \$REPEAT = 4 ] && break
done
HOSTS_FILE_NUMBER=\$((\$HOSTS_FILE_NUMBER + 1))
done
# Inspect downloaded hosts files.
ANY_FILE_OK=1
DNSMASQ_PARAM=""
for HOSTS_FILE in /tmp/blocking_hosts/hosts[0-9][0-9]; do
if [ -s "\$HOSTS_FILE" ]; then
ANY_FILE_OK=0
DNSMASQ_PARAM=\${DNSMASQ_PARAM:+\$DNSMASQ_PARAM }"--addn-hosts=\$HOSTS_FILE"
else
rm "\$HOSTS_FILE"
fi
done
if [ \$ANY_FILE_OK = 0 ]; then
logger "Restarting dnsmasq with additional hosts file(s) ..."
killall -TERM dnsmasq
dnsmasq --conf-file=/tmp/dnsmasq.conf \$DNSMASQ_PARAM &
fi
rm "\$LOCK_FILE"
fi
EOF
# Make it executeable.
chmod 755 "$BH_SCRIPT"
# Add crontab entry.
grep -q "$BH_SCRIPT" /tmp/crontab || echo "$(($$ % 60)) 3 * * * root $BH_SCRIPT" >>/tmp/crontab
# Execute script in background.
sh "$BH_SCRIPT" &
another hint, if you use limit FTP access option on security tab try to disable it... there was some change in http://svn.dd-wrt.com/changeset/30145 Don't know if Kongs builds have it yet...
Joined: 24 Feb 2013 Posts: 1634 Location: Belgrade
Posted: Mon Aug 15, 2016 6:32 Post subject:
Quote:
I've opened TCP and UDP ports 8889 in DDWRT and forwarded to the windows IIS Box. Data ports (5000-6000 are also open and configured in IIS).
I think that ftp is only TCP not UDP... you need to change the scripts above, according to windows ftp server and ofcourse forward those ports to iis ftp...
but I don't see XT_CT module on your list either...
[/code]
Okay got it!, so the code you pasted above,
I need to edit the dport, sport ports to the ports I'm using, correct?! for example, I'm running my ftp on TCP 8889
so I would replace all the ports to 8889? you put 20, 21, and 1024, can I just put 8889 in all those and then erase the lines that are duplicates? I'm not suing 20, 21 or 1024.
Joined: 24 Feb 2013 Posts: 1634 Location: Belgrade
Posted: Tue Aug 16, 2016 6:04 Post subject:
No, you need ddwrt to listen to those ports... I read your post once again... your Windows firewall is disabled... ftp is on IIS Windows?
you need:
1) paste the script I provided so that ddwrt listens on needed ftp ports
2) forward ports 20, 21 and range 1024:65565 porotocl TCP from WAN PUBLIC IP to your local IIS Windows IP... you can do it from cli/iptables but I think it is much easier to let GUI do it for you...
and read this to... just for better understanding how ftp works...
No, you need ddwrt to listen to those ports... I read your post once again... your Windows firewall is disabled... ftp is on IIS Windows?
you need:
1) paste the script I provided so that ddwrt listens on needed ftp ports
2) forward ports 20, 21 and range 1024:65565 porotocl TCP from WAN PUBLIC IP to your local IIS Windows IP... you can do it from cli/iptables but I think it is much easier to let GUI do it for you...
and read this to... just for better understanding how ftp works...
OMG. That did it! I didn't need to use the scripts.
It was the Port Range that enabled it. However, that seems like a lot of ports to be opened, can't I just limit that to the "data ports" that IIS uses? Not sure if you're familiar with IIS.
Joined: 24 Feb 2013 Posts: 1634 Location: Belgrade
Posted: Tue Aug 16, 2016 8:04 Post subject:
I'm not familiar with IIS Windows... but using my logic you should raise the level of your security on your IIS Windows firewall... ddwrt will just forward traffic to IIS... you said you disabled firewall on windows?
When I ran home ftp server I had similar problems. I found out that Chrome allways use Passive client ftp mode... ddwrt by default opens only 21 port on the WAN. For working ftp I was forced to open 20,21 and 1024:65565... It was a big concern for me... I kept on reading and founded out about CT helpers... I started using them... after that, I could access to my ftp and when I did https://www.grc.com/x/ne.dll?bh0bkyd2
ports were closed... this linux netfilter Connection Tracking helpers are designed to recognize only RELATED connections after entering usr/pass on ftp server... they are designed for security reasons...
well, I hope that IIS has some sort of security too... you have to dig it on the google...
I'm not familiar with IIS Windows... but using my logic you should raise the level of your security on your IIS Windows firewall... ddwrt will just forward traffic to IIS... you said you disabled firewall on windows?
When I ran home ftp server I had similar problems. I found out that Chrome allways use Passive client ftp mode... ddwrt by default opens only 21 port on the WAN. For working ftp I was forced to open 20,21 and 1024:65565... It was a big concern for me... I kept on reading and founded out about CT helpers... I started using them... after that, I could access to my ftp and when I did https://www.grc.com/x/ne.dll?bh0bkyd2
ports were closed... this linux netfilter Connection Tracking helpers are designed to recognize only RELATED connections after entering usr/pass on ftp server... they are designed for security reasons...
well, I hope that IIS has some sort of security too... you have to dig it on the google...
Ahh, okay, so if I use the CT helpers in DDWRT firewall, then in theory I wouldn't need to use the port range forwarding?
again, thanks so much for helping me out. Send me your paypal, I'd like to buy you a beer.
