Skip to main content

NAT one: FTP client behind a NAT network

NAT là gì? Nói 1 cách đơn giản. Vd VirtualBox set máy guest là NAT thì làm thao ?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

How to access a NAT guest from host with VirtualBox

http://ask.xmodulo.com/access-nat-guest-from-host-virtualbox.html
Khi mà set máy guest là NAT, để ssh vô được thì phải dùng port forwarding.

by Dan Nanni
Question: I have a guest VM running on VirtualBox, which uses NAT networking. So the guest VM is getting a private IP address (10.x.x.x) assigned by VirtualBox. If I want to SSH to the guest VM from the host machine, how can I do that?

VirtualBox supports several networking options for guest VMs, one of them being NAT networking. When NAT networking is enabled for a guest VM, VirtualBox automatically performs network address translation between the guest VM and host's network stack, so that you do not have to configure anything on the host machine and local network for the guest VM's networking to work. The implication of such NAT, however, is that the guest VM is not reachable or visible from external networks as well as from the local host itself. This is a problem if you want to access the guest VM from the host machine for some reason (e.g., SSH).

If you want to access a NAT guest from the host on VirtualBox, you can enable port forwarding for VirtualBox NAT, either from the GUI or from the command line. This tutorial demonstrates how to SSH a NAT guest from the host by enabling port forwarding for port 22. If you want to access HTTP of a NAT guest instead, replace port 22 with port 80.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Configure NAT on FTP Server Passive mode
https://winscp.net/eng/docs/ftp_modes
Thông tin cấu hình  server FTP cho bọn winscp có 1 số cái liên quan.
Có 1 đoạn có thể là lý do mà FileZilla nó vô được server rồi list data còn code hoặc command thì oẳng. Smart Firewalls/NATs


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Trang này cấu hình thằng IIS của windows server firewall cho FTP
http://serverfault.com/questions/241424/tcp-port-1023-or-tcp-port-1024-for-inbound-passive-ftp-traffic

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FTP active mode random port
Show lại mấy hình về active, passive FTP:

Chính cái đoạn random port 1031 bên client side active mode gây ra vấn đề.
Éo rõ cơ chế firewall dư nào trong máy guest ubuntu nhưng có vẻ nó ko ảnh hưởng. 
Lý do: từ ngoài vô máy guest phải qua VirtualBox, mà NAT thì có vẻ nó default block tất cả port vô trong. Muốn vô thì phải forwarding như trên.
Vấn đề là VD cái cổng 3022 cho SSH vô trong là 22 thì mình đã biết trước 3022 bên host để mà ssh rồi:
vd set NAT forward :
Thì khi ssh vô: ssh -p 3022 blondie@192.168.56.1 hay ssh -p 3022 blodie@127.0.0.1 thì mới vô trong được.

Còn thằng FTP server khi nó khởi tạo kết nối kênh data về client qua 1031 là random, mình ko biết để mà forward vô Vbox guest.

Forward tất cả port vô guest thì hơi tù mà mình éo biết có chạy ko vì cơ chế NAT vẫn còn khá ảo.

Kết luận: Phải làm thao mà thằng guest Vbox dùng NAT access được data bên server FTP bên ngoài thì vđ được giải quyết.

Cụ thể là làm thao để Server FTP (chỉ có active mode) vô được thằng guest qua 1 cổng random > 1023 để truyền data.

Passive mode thì như đã nói ko bị vđ trên:



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Server hiện đang hỗ trợ Passive mode thì code php set passive là xong. Ko set thì oẳng => Ko cho chạy active mode.
Ngược lại, đột nhiên server FTP chỉ cho chạy Active mode, passive oẳng thì lại phải chỉnh code. Hơi tù. Ngoài ra nó còn dẫn đến lỗi ko list đc data và get từ server về.

Server FTP để active mode default thì sẽ đơn giản cho phía server về nhiều khía cạnh admin như open port, bảo mật ... Ngược lại để passive mode enable thì admin FTP phải cấu hình nhì nhằng hơn.
Đây là vài cái notes trên mạng:

1. Bài này ko có j đặc biệt nhưng có 1 KL quan trọng là ưu và nhược điểm của 2 mode FTP:

A quick summary of the pros and cons of active vs. passive FTP is also in order:
Active FTP is beneficial to the FTP server admin, but detrimental to the client side admin. The FTP server attempts to make connections to random high ports on the client, which would almost certainly be blocked by a firewall on the client side. Passive FTP is beneficial to the client, but detrimental to the FTP server admin. The client will make both connections to the server, but one of them will be to a random high port, which would almost certainly be blocked by a firewall on the server side.
Luckily, there is somewhat of a compromise. Since admins running FTP servers will need to make their servers accessible to the greatest number of clients, they will almost certainly need to support passive FTP. The exposure of high level ports on the server can be minimized by specifying a limited port range for the FTP server to use. Thus, everything except for this range of ports can be firewalled on the server side. While this doesn't eliminate all risk to the server, it decreases it tremendously. See Appendix 1 for more information.
http://slacksite.com/other/ftp.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FTP passive server behind NAT nightmare
Bài này gặp vđ ngược với vđ trên. Ad nó còn code cả 1 bản vá cho PHP :)
Một điểm quan trọng nhất là lý giải đc tại sao Filezilla ko oẳng.

http://www.elitehosts.com/blog/php-ftp-passive-ftp-server-behind-nat-nightmare/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Net config trang tài liệu của FileZilla
https://wiki.filezilla-project.org/Network_Configuration

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://security.stackexchange.com/questions/46282/how-to-detect-nat-network-address-translation

http://unix.stackexchange.com/questions/90487/why-do-i-get-kicked-out-of-a-ftp-session-once-i-run-a-command
There is most likely a NAT-firewall between you and the servers showing the symptom. (NAT-firewalls hide a whole network behind a single IP-number).

The problem is that ftp wants to send the data resulting from the command in a new, separate TCP/IP connection and that cannot go through the firewall because it needs to go from the server to you, and you are hidden behind the firewall. Use the "pasv" command (may be called something different in your client) to change to a passive connection where data connections to go from you to the server.

See http://slacksite.com/other/ftp.html for a more detailed explanation.

Thanks, a lot. In the case of VSFTPD, the command for entering passive mode is "passive". That seems to be working for now. I think this whole situation has to do with me running the Linux install on a virtual machine and its not-so-standard settings. I am going to find out how enable "passive" mode by default. Once I find out I'll post for anybody interested.

https://enterprisedt.com/products/edtftpjssl/doc/manual/html/howtoftpthroughafilewall.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
TODO: draw another cool diagrams





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Quests:
1. username/passwd is sent over command channel (port 21) or data channel (random port) ?

ftp> passive
Passive mode off.
ftp> open ftp.data-rx.com
Connected to ftp.data-rx.com.
220 Serv-U FTP Server v15.1 ready...
Name (ftp.data-sadhill.com:tuco): blondie
331 User name okay, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.

=> Kn cao ls cũng truyền qua kênh data.

2. If command like ls transfer result over data channel, so does ftp client use tmp file ? If yes then may be permission affect this process ?

3. ftp is client command not a connect command like ssh.
ssh normaly need params right after ssh type. ftp often just type ftp alone then login after.
Can we ftp username:password[@] ftp.server.com ?


Problems are in the NAT router.
So how to remove firewall, first in VirtualBox NAT vbox for testing.
What Port Forwarding does ?

- "You shouldn't be using NAT then, it's the opposite of the NAT purpose. Use Bridged instead."

- "Hi, I cannot use Bridged Networking because my Internet/intranet connection is via Wi-Fi and it doesn't work in my VM when I use it."

- Ok, well in NAT it is simply impossible.

The next best thing would be to set up a host-only card, put the VM on it, then assign a 2nd IP to your host, enable IP forwarding and forward anything from/to that IP to the VM.
Nasty setup but it works if you can get that 2nd IP for yourself.

On the other hand, I have a hard time believing you can't know the ports used by the application. These ports will appear in the system info. So why can't you? If it is a dynamic range, it can't be *any* port still.
What is your application?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Summary:

I end up with using CURL instead of php ftp.
Notes that I've messed with \r and \n in return result. It take me few hours :( to realize problem. 
Failed to open stream on fopen() ...

protected function curl_ftp_get($ftp, $user_id, $last_update)
{
if(empty($user_id)) {
return;
}
$local_path = resource_path('CRAWL_DATA'.DIRECTORY_SEPARATOR.'KKKK'.DIRECTORY_SEPARATOR.$user_id.DIRECTORY_SEPARATOR);

if (!file_exists($local_path) && !is_dir($local_path)) {
mkdir($local_path, 0777, true);


$url = $ftp['server'];
// If there is no ftp:// or any protocol entered, add ftp://
if ( ! preg_match('!^(ftp|sftp)://! i', $url))
{
$url = 'ftp://' . $url;
}

$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_FTPLISTONLY, 1);
curl_setopt($curl, CURLOPT_USERPWD, $ftp['username']. ':'. $ftp['password']);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT ,0); 
curl_setopt($curl, CURLOPT_TIMEOUT, 600);

$response = curl_exec($curl);

// Request failed
if ($response === FALSE)
{
// TODO handle msg error, use session to store option. curl_errno, curl_error
return FALSE;
}
// Request successful
else
{
// list file server
$return = trim($response);
curl_close($curl);
$files = explode("\n", $return);
// filter file by timestamp
if($last_update) {
$newData = self::filterFileByTime($files, $last_update);
$files = array_values($newData);
}

// download file
$local_path = "../resources/CRAWL_DATA/KKKK/".$user_id."/"; // resource_path not work
foreach($files as $file) {
$file = str_replace("\r", '', $file);
$remote_file = $url.'/'.$file;
$local_file = $local_path.$file;

$curl = curl_init();
$fp = fopen($local_file, "w+");
curl_setopt($curl, CURLOPT_URL, $remote_file);
curl_setopt($curl, CURLOPT_FILE, $fp);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_USERPWD, $ftp['username']. ':'. $ftp['password']);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT ,0);
curl_setopt($curl, CURLOPT_TIMEOUT, 600);
curl_setopt($curl, CURLOPT_BINARYTRANSFER, 1);
curl_setopt($curl, CURLOPT_ENCODING, "");
curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
fclose($fp);
}
} // end Request success

curl_close ($curl);

return;
}

I can't find how to use only 1 time curl_init(). So may be loop make this script a bit slower than FTP transfer. I will optimize this later. http://php.net/manual/en/function.curl-multi-exec.php
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Notes:
[1] Dùng ufw để config firewall. Sẽ có 1 bài giải thích thằng này. Khi mà dùng vbox guest ubuntu tắt firewall đi vì nó ko có tác dụng fix vụ active mode FTP bên ngoài.
Nếu setting ko đúng = ufw thì bên ngoài máy host còn ko ssh vô trong được. Đại khái là làm rối thêm mục tiêu làm sao list đc file trên server FTP trong máy ảo.

[2] Scan network port với nmap và psad
https://www.cyberciti.biz/faq/linux-detect-port-scan-attacks/

[3] Tìm xem có đúng là server mình chạy bị 1 cái NAT bên ngoài bao không ?
https://www.cnet.com/forums/discussions/can-isp-detect-i-m-using-a-router-and-nat-to-share-ip-209397/
Có 1 số tool để xác minh thông tin này. Mấy thằng code = C nói "simple". Đúng là simple vì logic để detect NAT ko khó nếu biết mô hình mạng, cấu trúc gói tin... Nhưng nghe đến C với tự code là phê rồi.
Ở trên nói về máy guest bao trong mạng NAT chỉ là để demo test còn thực sự vấn đề bắt nguồn từ thằng server chạy windows éo lấy được file FTP về.

[4] NAT khác mẹ j DHCP
Tìm trên mạng coi xong thì note lại mấy cái quan trọng.
https://www.cnet.com/forums/discussions/can-isp-detect-i-m-using-a-router-and-nat-to-share-ip-209397/

[5] Data encrytion - infosec: http://www.tuxradar.com/content/learn-hack/
https://theintercept.com/2015/04/27/encrypting-laptop-like-mean/

[6] Trang vẽ khá clear về 2 mode của FTP:
https://enterprisedt.com/products/edtftpjssl/doc/manual/html/howtoftpthroughafilewall.html

[7] 1 bài dài về FTP, ko biết có j ko
http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html
http://computernetworkingsimplified.com/application-layer/active-passive-modes-ftp/

Commands:
wget ftp://username:password@SERVERNAME/directory/file

Vbox cmd port forwarding:
VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,,2222,,22"

=> can use loop to forward many port
http://www.deadcodersociety.org/blog/forwarding-a-range-of-ports-in-virtualbox/

List vms trên Windows
"C:\Program Files\Oracle\VirtualBox\VBoxManage.exe" list hdds
hoặc list vms

Remove port forward setting trong VirtualBox:
VBoxManage modifyvm xp --natpf1 delete guestrdp

Loop add port fw cho máy ảo:
for i in {53000..54000}; do ./VBoxManage.exe modifyvm "ub14" --natpf1 "tcp-port$i,tcp,,$i,,$i"; done








Comments

Popular posts from this blog

AWS Elasticache Memcached connection

https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/accessing-elasticache.html#access-from-outside-aws http://hourlyapps.blogspot.com/2010/06/examples-of-memcached-commands.html Access memcached https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/GettingStarted.AuthorizeAccess.html Zip include hidden file https://stackoverflow.com/questions/12493206/zip-including-hidden-files phpmemcachedadmin ~ phpMyAdmin or phpPgAdmin ... telnet mycachecluster.eaogs8.0001.usw2.cache.amazonaws.com 11211 stats items stats cachedump 27 100 https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/VPCs.EC.html https://lzone.de/cheat-sheet/memcached VPC ID Security Group ID (sg-...) Cluster: The identifier for the cluster memcached1 Creation Time: The time (UTC) when the cluster was created January 9, 2019 at 11:47:16 AM UTC+7 Configuration Endpoint: The configuration endpoint of the cluster memcached1.ahgofe.cfg.usw1.cache.amazonaws.com:11211 St...

Notes Windows 10 Virtualbox config, PHP Storm Japanese, custom PHP, Apache build, Postgresql

 cmd => Ctrl + Shift + Enter mklink "C:\Users\HauNT\Videos\host3" "C:\Windows\System32\drivers\etc\hosts" https://www.quora.com/How-to-create-a-router-in-php https://serverfault.com/questions/225155/virtualbox-how-to-set-up-networking-so-both-host-and-guest-can-access-internet 1 NAT + 1 host only config https://unix.stackexchange.com/questions/115464/how-to-properly-set-up-2-network-interfaces-in-centos-running-in-virtualbox DEVICE=eth0 TYPE=Ethernet #BOOTPROTO=dhcp BOOTPROTO=none #IPADDR=10.9.11.246 #PREFIX=24 #GATEWAY=10.9.11.1 #IPV4_FAILURE_FATAL=yes #HWADDR=08:00:27:CC:AC:AC ONBOOT=yes NAME="System eth0" [root@localhost www]# cat /etc/sysconfig/network-scripts/ifcfg-eth1 # Advanced Micro Devices, Inc. [AMD] 79c970 [PCnet32 LANCE] DEVICE=eth1 IPADDR=192.168.56.28 <= no eff => auto like DHCP #GATEWAY=192.168.56.1 #BOOTPROTO=dhcp BOOTPROTO=static <= no eff ONBOOT=yes HWADDR=08:00:27:b4:20:10 [root@localhost www]# ...

Rocket.Chat DB schema

_raix_push_notifications avatars.chunks avatars.files instances meteor_accounts_loginServiceConfiguration meteor_oauth_pendingCredentials meteor_oauth_pendingRequestTokens migrations rocketchat__trash rocketchat_cron_history rocketchat_custom_emoji rocketchat_custom_sounds rocketchat_import rocketchat_integration_history rocketchat_integrations rocketchat_livechat_custom_field rocketchat_livechat_department rocketchat_livechat_department_agents rocketchat_livechat_external_message rocketchat_livechat_inquiry rocketchat_livechat_office_hour rocketchat_livechat_page_visited rocketchat_livechat_trigger rocketchat_message rocketchat_oauth_apps rocketchat_oembed_cache rocketchat_permissions rocketchat_raw_imports rocketchat_reports rocketchat_roles rocketchat_room rocketchat_settings rocketchat_smarsh_history rocketchat_statistics rocketchat_subscription rocketchat_uploads system.indexes users usersSessions https://rocket.chat/docs/developer-guides/sc...