Okay, another update (and hopefully the last). I have used wireshark to get some information about the problem running as both root and the other user, and the results are as follows:
*--ROOT--- 220 Service ready for new user. USER FTPROOT 331 User name okay, need password for FTPROOT. PASS ******** 230 User logged in, proceed. PWD 257 "/" is current directory. CWD S501 250 Ok CWD TestConn 250 Ok EPSV 229 Entering Passive Mode (|||40112|) TYPE I 200 Command TYPE okay. STOR TestConn.xml 150 Ok 226 Ok QUIT 221 Goodbye. --NO ROOT USER-- 220 Service ready for new user. USER FTPROOT 331 User name okay, need password for FTPROOT. PASS ******** 230 User logged in, proceed. PWD 257 "/" is current directory. CWD S501 250 Ok CWD TestConn 250 Ok EPSV 229 Entering Passive Mode (|||46726|) PASV 227 Entering Passive Mode (10,101,64,144,172,26) 227 Entering Passive Mode (10,101,64,144,172,26) >> FAIL <<* Does this help at all? On Fri, Mar 12, 2010 at 2:38 PM, Aidan Diffey <[email protected]>wrote: > These numbers are below the 1024 port number. Does that mean that only root > can bind these ports? > > > On Fri, Mar 12, 2010 at 2:28 PM, Sai Pullabhotla < > [email protected]> wrote: > >> The last two numbers give the port information to the client so the >> client can connect back to the server for sending/receiving data. The >> actual port number is calculated using (256*n1) + n2. Of course, this >> is the standard syntax defined in the FTP protocol. >> >> Regards, >> Sai Pullabhotla >> >> >> >> >> >> On Fri, Mar 12, 2010 at 8:21 AM, Aidan Diffey >> <[email protected]> wrote: >> > Just out of interest, what do the numbers mean in the line: >> > >> > *227 Entering Passive Mode (10,101,64,144,173,138)* >> > >> > I can see the 10 101 64 144 is the IP address of the server, but what >> about >> > the 173, 138 numbers? >> > >> > On Fri, Mar 12, 2010 at 2:07 PM, Aidan Diffey >> > <[email protected]>wrote: >> > >> >> Sorry, that IP tables entry should have been: >> >> >> >> >> >> *DNAT tcp -- anywhere anywhere tcp >> dpt:ftp >> >> to:10.101.64.144:10121 >> >> * >> >> >> >> >> >> >> >> On Fri, Mar 12, 2010 at 1:56 PM, Niklas Gustavsson < >> [email protected]>wrote: >> >> >> >>> On Fri, Mar 12, 2010 at 2:46 PM, Niklas Gustavsson < >> [email protected]> >> >>> wrote: >> >>> > In these case, are you really running behind iptables? Because, it >> >>> > struck me that since you map the ports, the client will try to >> connect >> >>> > to the server on 10120 since that's what the server told him to do >> in >> >>> > the response to the PASV command. He will not know to connect on >> port >> >>> > 20. >> >>> >> >>> That being said, we currently support providing an "external" IP >> >>> address for passive connection, for use when we're behind a NAT. But, >> >>> we do not support providing an "external" port, for this kind of use. >> >>> We surely could, if people are really interested in port mapping >> >>> passive connections. I doubt it is that useful, but who knows :-) >> >>> >> >>> /niklas >> >>> >> >> >> >> >> > >> > >
