论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2010-01-27 17:10 |只看该作者 |倒序浏览

10可用积分

环境是这样的，我的ftp服务器在内网，地址为192.168.1.100，外网接入设备为h3c路由器，nat设置
如下（公网地址非真）：
GigabitEthernet1/0  100.100.100.100 21(ftp) 192.168.1.100 21(ftp)  6(tcp)
GigabitEthernet1/0  100.100.100.100    50000 192.168.1.100    50000  6(tcp)
GigabitEthernet1/0  100.100.100.100    50001 192.168.1.100    50001  6(tcp)
GigabitEthernet1/0  100.100.100.100    50002 192.168.1.100    50002  6(tcp)
GigabitEthernet1/0  100.100.100.100    50003 192.168.1.100    50003  6(tcp)
GigabitEthernet1/0  100.100.100.100    50004 192.168.1.100    50004  6(tcp)
GigabitEthernet1/0  100.100.100.100 50005 192.168.1.100    50005  6(tcp)
# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
#connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd whith two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES

pam_service_name=vsftpd
userlist_enable=YES
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd whith two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
port_enable=NO
pasv_enable=YES
pasv_min_port=50000
pasv_max_port=50005

-----------------------------------------------------------------------------------------------------------------------------
在内部网络测试可以正常连接，但是在外面的机器用ftp登录却无法连接上，中间没有防火墙设备，FTP服务器主机的iptables关闭。哪位朋友可以帮忙看下问题出在哪吗？

最佳答案

blueswxs

查看完整内容

1、分析【client】 --》【路由器】 --》【vsftpd】公网A 公网B 私网A 私网B被动访问方式：client《--------------》公网B：21 目标地址转换《-----------------》私网B：21 当有数据要下载时：client《--------------》公网B：21 目 ...

文库|博客

blueswxs

荣誉版主

论坛徽章:: 0

2楼 [报告]

发表于 2010-01-27 17:10 |只看该作者

原帖由 大丫的小哥 于 2010-1-28 10:17 发表

pasv_address=100.100.100.100
增加上去之后，外面仍然连接不上，而且内网也无法ftp登录了，只能tennet 21端口
从外面连接只能得到3个包就没下文了（更改前后一样）
09:47:39.611027 IP 58.82.185.101.315 ...

1、分析
【client】 --》【路由器】  --》【vsftpd】
  公网A             公网B 私网A          私网B

被动访问方式：
client《--------------》公网B：21
                              目标地址转换
                     《-----------------》私网B：21

当有数据要下载时：

client《--------------》公网B：21
                              目标地址转换
                     《-----------------》私网B：21
                                                      （服务器接受下载请求后，
                                 在本地开启一个端口，
                                 然后将本机地址和这个端口告知客户，
                                 客户端将连接这个地址和端口，取走数据）

pasv_min_port=50000 定义端口起始
pasv_max_port=50005  定义端口终止
                     将在这个范围随机产生，当然这么小的范围，也就决定同时最多下载的人数。
pasv_address=100.100.100.100
                                    告知的IP，默认使用本地网卡上的IP。这里要改成公网A，否则客户无法连接。
                     （PS：对了楼主，我犯了一个小的失误，就是等号给漏了。）

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

blueswxs

荣誉版主

论坛徽章:: 0

3楼 [报告]

发表于 2010-01-27 17:58 |只看该作者

pasv_address 100.100.100.100

增加一条。

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

大丫的小哥

白手起家

论坛徽章:: 0

4楼 [报告]

发表于 2010-01-28 10:17 |只看该作者

原帖由 blueswxs 于 2010-1-27 17:58 发表
pasv_address 100.100.100.100

增加一条。

pasv_address=100.100.100.100
增加上去之后，外面仍然连接不上，而且内网也无法ftp登录了，只能tennet 21端口
从外面连接只能得到3个包就没下文了（更改前后一样）
09:47:39.611027 IP 58.82.185.101.31581 > 192.168.1.100.21: S 436391716:436391716(0) win 65535 <mss 1452,nop,nop,sackOK>
09:47:42.543175 IP 58.82.185.101.31581 > 192.168.1.100.21: S 436391716:436391716(0) win 65535 <mss 1460,nop,nop,sackOK>
09:47:48.542132 IP 58.82.185.101.31581 > 192.168.1.100.21: S 436391716:436391716(0) win 65535 <mss 1460,nop,nop,sackOK>
从内网连接（更改后）
10:04:05.321935 IP 192.168.1.100.ssh > 192.168.1.213.netview-aix-1: P 1:21(20) ack 1 win 5840
10:04:05.322356 IP 192.168.1.213.netview-aix-1 > 192.168.1.100.ssh: P 1:23(22) ack 21 win 65515
10:04:05.322362 IP 192.168.1.213.netview-aix-1 > 192.168.1.100.ssh: F 23:23(0) ack 21 win 65515
10:04:05.322412 IP 192.168.1.100.ssh > 192.168.1.213.netview-aix-1: . ack 23 win 5840
10:04:05.323733 IP 192.168.1.213 > 192.168.1.100: ICMP echo request, id 37855, seq 1, length 56
10:04:05.323757 IP 192.168.1.100 > 192.168.1.213: ICMP echo reply, id 37855, seq 1, length 56
10:04:05.324825 IP 192.168.1.100.ssh > 192.168.1.213.netview-aix-1: P 21:725(704) ack 24 win 5840
10:04:05.324984 IP 192.168.1.213.netview-aix-1 > 192.168.1.100.ssh: R 24:24(0) ack 725 win 0
10:04:05.325973 IP 192.168.1.213.netview-aix-4 > 192.168.1.100.ncube-lm: S 2631785209:2631785209(0) win 65535 <mss 1460,nop,nop,sackOK>
10:04:05.325998 IP 192.168.1.100.ncube-lm > 192.168.1.213.netview-aix-4: S 259303729:259303729(0) ack 2631785210 win 5840 <mss 1460,nop,nop,sackOK>
10:04:05.326103 IP 192.168.1.213.netview-aix-4 > 192.168.1.100.ncube-lm: . ack 1 win 65535
10:04:05.326353 IP 192.168.1.213.netview-aix-4 > 192.168.1.100.ncube-lm: F 1:1(0) ack 1 win 65535
10:04:05.326623 IP 192.168.1.100.ncube-lm > 192.168.1.213.netview-aix-4: F 1:1(0) ack 2 win 5840
10:04:05.326730 IP 192.168.1.213.netview-aix-4 > 192.168.1.100.ncube-lm: . ack 2 win 65535
10:05:21.409139 IP 192.168.1.213.nsjtp-ctrl > 192.168.1.100.ftp: S 2136658590:2136658590(0) win 65535 <mss 1460,nop,nop,sackOK>
10:05:21.409175 IP 192.168.1.100.ftp > 192.168.1.213.nsjtp-ctrl: S 338893208:338893208(0) ack 2136658591 win 5840 <mss 1460,nop,nop,sackOK>
10:05:21.409256 IP 192.168.1.213.nsjtp-ctrl > 192.168.1.100.ftp: . ack 1 win 65535
10:05:21.414342 IP 192.168.1.100.ftp > 192.168.1.213.nsjtp-ctrl: P 1:21(20) ack 1 win 5840
10:05:21.414509 IP 192.168.1.213.nsjtp-ctrl > 192.168.1.100.ftp: P 1:17(16) ack 21 win 65515
10:05:21.414532 IP 192.168.1.100.ftp > 192.168.1.213.nsjtp-ctrl: . ack 17 win 5840
10:05:21.414783 IP 192.168.1.100.ftp > 192.168.1.213.nsjtp-ctrl: P 21:55(34) ack 17 win 5840
10:05:21.414879 IP 192.168.1.213.nsjtp-ctrl > 192.168.1.100.ftp: P 17:31(14) ack 55 win 65481
10:05:21.416920 IP 192.168.1.100.ftp > 192.168.1.213.nsjtp-ctrl: P 55:78(23) ack 31 win 5840
10:05:21.417127 IP 192.168.1.213.nsjtp-ctrl > 192.168.1.100.ftp: P 31:45(14) ack 78 win 65458
10:05:21.417679 IP 192.168.1.100.ftp > 192.168.1.213.nsjtp-ctrl: P 78:106(2

ack 45 win 5840
10:05:21.417756 IP 192.168.1.213.nsjtp-ctrl > 192.168.1.100.ftp: P 45:51(6) ack 106 win 65430
10:05:21.418016 IP 192.168.1.100.ftp > 192.168.1.213.nsjtp-ctrl: P 106:125(19) ack 51 win 5840
10:05:21.418132 IP 192.168.1.213.nsjtp-ctrl > 192.168.1.100.ftp: P 51:62(11) ack 125 win 65411
10:05:21.419451 IP 192.168.1.100.ftp > 192.168.1.213.nsjtp-ctrl: P 125:149(24) ack 62 win 5840
10:05:21.419624 IP 192.168.1.213.nsjtp-ctrl > 192.168.1.100.ftp: P 62:67(5) ack 149 win 65387
10:05:21.419975 IP 192.168.1.100.ftp > 192.168.1.213.nsjtp-ctrl: P 149:158(9) ack 67 win 5840
10:05:21.492335 IP 192.168.1.213.nsjtp-ctrl > 192.168.1.100.ftp: P 67:73(6) ack 158 win 65378
10:05:21.492564 IP 192.168.1.100.ftp > 192.168.1.213.nsjtp-ctrl: P 158:172(14) ack 73 win 5840
10:05:21.493333 IP 192.168.1.213.nsjtp-ctrl > 192.168.1.100.ftp: P 73:80(7) ack 172 win 65364
10:05:21.493483 IP 192.168.1.100.ftp > 192.168.1.213.nsjtp-ctrl: P 172:209(37) ack 80 win 5840
10:05:21.494959 IP 192.168.1.213.nsjtp-ctrl > 192.168.1.100.ftp: P 80:88(

ack 209 win 65327
10:05:21.495093 IP 192.168.1.100.ftp > 192.168.1.213.nsjtp-ctrl: P 209:239(30) ack 88 win 5840
10:05:21.495462 IP 192.168.1.213.nsjtp-ctrl > 192.168.1.100.ftp: P 88:94(6) ack 239 win 65297
10:05:21.495742 IP 192.168.1.100.ftp > 192.168.1.213.nsjtp-ctrl: P 239:291(52) ack 94 win 5840
10:05:21.623260 IP 192.168.1.213.nsjtp-ctrl > 192.168.1.100.ftp: . ack 291 win 65245

正常情况下1.100会打开一个50000-50005中的一个端口，但是这里没有。
下面是不增加pasv_address=100.100.100.100，内网连接的情况
10:12:31.492898 IP 192.168.1.213.cft-3 > 192.168.1.100.ftp: S 1147194628:1147194                                           628(0) win 65535 <mss 1460,nop,nop,sackOK>
10:12:31.509232 IP 192.168.1.100.ftp > 192.168.1.213.cft-3: S 790867202:79086720                                           2(0) ack 1147194629 win 5840 <mss 1460,nop,nop,sackOK>
10:12:31.492943 IP 192.168.1.213.cft-3 > 192.168.1.100.ftp: . ack 1 win 65535
10:12:31.496348 IP 192.168.1.100.ftp > 192.168.1.213.cft-3: P 1:21(20) ack 1 win                                              5840
10:12:31.496565 IP 192.168.1.213.cft-3 > 192.168.1.100.ftp: P 1:17(16) ack 21 wi                                           n 65515
10:12:31.496588 IP 192.168.1.100.ftp > 192.168.1.213.cft-3: . ack 17 win 5840
10:12:31.496649 IP 192.168.1.100.ftp > 192.168.1.213.cft-3: P 21:55(34) ack 17 w                                           in 5840
10:12:31.496814 IP 192.168.1.213.cft-3 > 192.168.1.100.ftp: P 17:31(14) ack 55 w                                           in 65481
10:12:31.499826 IP 192.168.1.100.ftp > 192.168.1.213.cft-3: P 55:78(23) ack 31 w                                           in 5840
10:12:31.500144 IP 192.168.1.213.cft-3 > 192.168.1.100.ftp: P 31:45(14) ack 78 w                                           in 65458
10:12:31.508159 IP 192.168.1.100.ftp > 192.168.1.213.cft-3: P 78:106(2

ack 45                                              win 5840
10:12:31.508314 IP 192.168.1.213.cft-3 > 192.168.1.100.ftp: P 45:51(6) ack 106 w                                           in 65430
10:12:31.509451 IP 192.168.1.100.ftp > 192.168.1.213.cft-3: P 106:125(19) ack 51                                              win 5840
10:12:31.509563 IP 192.168.1.213.cft-3 > 192.168.1.100.ftp: P 51:62(11) ack 125                                              win 65411
10:12:31.509731 IP 192.168.1.100.ftp > 192.168.1.213.cft-3: P 125:149(24) ack 62                                              win 5840
10:12:31.509820 IP 192.168.1.213.cft-3 > 192.168.1.100.ftp: P 62:67(5) ack 149 w                                           in 65387
10:12:31.509929 IP 192.168.1.100.ftp > 192.168.1.213.cft-3: P 149:158(9) ack 67                                              win 5840
10:12:31.581517 IP 192.168.1.213.cft-3 > 192.168.1.100.ftp: P 67:73(6) ack 158 w                                           in 65378
10:12:31.581581 IP 192.168.1.100.ftp > 192.168.1.213.cft-3: P 158:172(14) ack 73                                              win 5840
10:12:31.582265 IP 192.168.1.213.cft-3 > 192.168.1.100.ftp: P 73:80(7) ack 172 w                                           in 65364
10:12:31.582399 IP 192.168.1.100.ftp > 192.168.1.213.cft-3: P 172:209(37) ack 80                                              win 5840
10:12:31.583889 IP 192.168.1.213.cft-3 > 192.168.1.100.ftp: P 80:88(

ack 209 w                                           in 65327
10:12:31.584001 IP 192.168.1.100.ftp > 192.168.1.213.cft-3: P 209:239(30) ack 88                                              win 5840
10:12:31.584389 IP 192.168.1.213.cft-3 > 192.168.1.100.ftp: P 88:94(6) ack 239 w                                           in 65297
10:12:31.584613 IP 192.168.1.100.ftp > 192.168.1.213.cft-3: P 239:289(50) ack 94                                              win 5840
10:12:31.584767 IP 192.168.1.213.cft-4 > 192.168.1.100.50001: S 413786419:413786                                           419(0) win 65535 <mss 1460,nop,nop,sackOK>
10:12:31.584794 IP 192.168.1.100.50001 > 192.168.1.213.cft-4: S 789023524:789023                                           524(0) ack 413786420 win 5840 <mss 1460,nop,nop,sackOK>
10:12:31.584891 IP 192.168.1.213.cft-4 > 192.168.1.100.50001: . ack 1 win 65535
10:12:31.584896 IP 192.168.1.213.cft-3 > 192.168.1.100.ftp: P 94:100(6) ack 289                                              win 65247
10:12:31.585161 IP 192.168.1.100.ftp > 192.168.1.213.cft-3: P 289:328(39) ack 10                                           0 win 5840
10:12:31.585472 IP 192.168.1.100.50001 > 192.168.1.213.cft-4: P 1:62(61) ack 1 w                                           in 5840
10:12:31.585500 IP 192.168.1.100.50001 > 192.168.1.213.cft-4: F 62:62(0) ack 1 w                                           in 5840
10:12:31.585643 IP 192.168.1.213.cft-4 > 192.168.1.100.50001: . ack 63 win 65474
10:12:31.585650 IP 192.168.1.213.cft-4 > 192.168.1.100.50001: F 1:1(0) ack 63 wi                                           n 65474
10:12:31.585684 IP 192.168.1.100.50001 > 192.168.1.213.cft-4: . ack 2 win 5840
10:12:31.585708 IP 192.168.1.100.ftp > 192.168.1.213.cft-3: P 328:352(24) ack 10                                           0 win 5840
10:12:31.585766 IP 192.168.1.213.cft-3 > 192.168.1.100.ftp: . ack 352 win 65184
以前没有弄过VSFTP，配置不是太熟悉，是不是还有什么地方设置不正确。

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

sunmanssjx

白手起家

论坛徽章:: 0

5楼 [报告]

发表于 2010-01-28 18:30 |只看该作者

port_enable=YES

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

383519377 该用户已被删除	6楼 [报告] 发表于 2010-01-28 18:53 \|只看该作者提示: 作者被禁止或删除内容自动屏蔽
383519377 该用户已被删除	实战分享：从技术角度谈机器学习入门\| 【大话IT】RadonDB低门槛向MySQL集群下战书 \| ChinaUnix打赏功能已上线！ \| 新一代分布式关系型数据库RadonDB知多少？