FTP Active 模式为什么能工作?

FTP Active 模式下,客户端监听一个端口,服务器对这个端口发起连接,我试了下好像的确如此,ftp.gnu.org 貌似主动向我的电脑发起了连接:

14:59:32.149900 IP ftp.gnu.org.ftp-data > 192.168.2.101.58903: Flags [S], seq 1241450827, win 29200, options [mss 1440,sackOK,TS val 1000896802 ecr 0,nop,wscale 7], length 0
ftp ftp.gnu.org
~ $ ftp ftp.gnu.org
Connected to ftp.gnu.org.
220 GNU FTP server ready.
Name (ftp.gnu.org:xcy): anonymous
230-NOTICE (Updated October 13 2017):
230-
230-Because of security concerns with plaintext protocols, we still
230-intend to disable the FTP protocol for downloads on this server
230-(downloads would still be available over HTTP and HTTPS), but we
230-will not be doing it on November 1, 2017, as previously announced
230-here. We will be sharing our reasons and offering a chance to
230-comment on this issue soon; watch this space for details.
230-
230-If you maintain scripts used to access ftp.gnu.org over FTP,
230-we strongly encourage you to change them to use HTTPS instead.
230-
230----
230-
230-Due to U.S. Export Regulations, all cryptographic software on this
230-site is subject to the following legal notice:
230-
230-    This site includes publicly available encryption source code
230-    which, together with object code resulting from the compiling of
230-    publicly available source code, may be exported from the United
230-    States under License Exception "TSU" pursuant to 15 C.F.R. Section
230-    740.13(e).
230-
230-This legal notice applies to cryptographic software only. Please see
230-the Bureau of Industry and Security (www.bxa.doc.gov) for more
230-information about current U.S. regulations.
230 Login successful.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
lrwxrwxrwx    1 0        0               8 Aug 20  2004 CRYPTO.README -> .message
-rw-r--r--    1 0        0           17864 Oct 23  2003 MISSING-FILES
-rw-r--r--    1 0        0            4178 Aug 13  2003 MISSING-FILES.README
-rw-r--r--    1 0        0            2991 Oct 03  2019 README
-rw-r--r--    1 0        0          405121 Oct 23  2003 before-2003-08-01.md5sums.asc
-rw-rw-r--    1 0        3003       266558 Jun 04 23:00 find.txt.gz
drwxrwxr-x  322 0        3003        12288 Feb 16 07:35 gnu
drwxrwxr-x    3 0        3003         4096 Mar 10  2011 gnu+linux-distros
-rw-rw-r--    1 0        3003       490132 Jun 04 23:00 ls-lrRt.txt.gz
drwxr-xr-x    3 0        0            4096 Apr 20  2005 mirrors
lrwxrwxrwx    1 0        0              11 Apr 15  2004 non-gnu -> gnu/non-gnu
drwxr-xr-x   91 0        0            4096 Jan 24  2019 old-gnu
lrwxrwxrwx    1 0        0               1 Aug 05  2003 pub -> .
drwxr-xr-x    2 0        0            4096 Nov 08  2007 savannah
drwxr-xr-x    2 0        0            4096 Aug 02  2003 third-party
drwxr-xr-x    2 0        0            4096 Apr 07  2009 tmp
-rw-rw-r--    1 0        3003       579355 Jun 04 23:00 tree.json.gz
drwxr-xr-x    2 0        0            4096 May 07  2013 video
-rw-r--r--    1 0        0            2830 Dec 18  2018 welcome.msg
226 Directory send OK.
ftp> quit
sudo tcpdump host ftp.gnu.org
~ $ sudo tcpdump host ftp.gnu.org
Password:
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
14:59:22.264321 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [P.], seq 3973045689:3973045705, ack 2440437920, win 2052, options [nop,nop,TS val 588267089 ecr 1000892404], length 16: FTP: USER anonymous
14:59:22.533091 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 16, win 227, options [nop,nop,TS val 1000894410 ecr 588267089], length 0
14:59:22.597714 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 1:40, ack 16, win 227, options [nop,nop,TS val 1000894431 ecr 588267089], length 39: FTP: 230-NOTICE (Updated October 13 2017):
14:59:22.597750 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 40, win 2051, options [nop,nop,TS val 588267420 ecr 1000894431], length 0
14:59:22.599061 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 40:46, ack 16, win 227, options [nop,nop,TS val 1000894431 ecr 588267089], length 6: FTP: 230-
14:59:22.599066 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 46:115, ack 16, win 227, options [nop,nop,TS val 1000894431 ecr 588267089], length 69: FTP: 230-Because of security concerns with plaintext protocols, we still
14:59:22.599067 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 115:184, ack 16, win 227, options [nop,nop,TS val 1000894431 ecr 588267089], length 69: FTP: 230-intend to disable the FTP protocol for downloads on this server
14:59:22.599069 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 254:325, ack 16, win 227, options [nop,nop,TS val 1000894431 ecr 588267089], length 71: FTP: 230-will not be doing it on November 1, 2017, as previously announced
14:59:22.599070 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 184:254, ack 16, win 227, options [nop,nop,TS val 1000894431 ecr 588267089], length 70: FTP: 230-(downloads would still be available over HTTP and HTTPS), but we
14:59:22.599071 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 325:392, ack 16, win 227, options [nop,nop,TS val 1000894431 ecr 588267089], length 67: FTP: 230-here. We will be sharing our reasons and offering a chance to
14:59:22.599073 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 392:455, ack 16, win 227, options [nop,nop,TS val 1000894431 ecr 588267089], length 63: FTP: 230-comment on this issue soon; watch this space for details.
14:59:22.599074 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 455:461, ack 16, win 227, options [nop,nop,TS val 1000894431 ecr 588267089], length 6: FTP: 230-
14:59:22.599111 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 46, win 2051, options [nop,nop,TS val 588267421 ecr 1000894431], length 0
14:59:22.599133 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 115, win 2050, options [nop,nop,TS val 588267421 ecr 1000894431], length 0
14:59:22.599142 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 184, win 2049, options [nop,nop,TS val 588267421 ecr 1000894431], length 0
14:59:22.599232 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 184, win 2049, options [nop,nop,TS val 588267421 ecr 1000894431,nop,nop,sack 1 {254:325}], length 0
14:59:22.599249 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 325, win 2047, options [nop,nop,TS val 588267421 ecr 1000894431], length 0
14:59:22.599269 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 392, win 2046, options [nop,nop,TS val 588267421 ecr 1000894431], length 0
14:59:22.599277 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 455, win 2045, options [nop,nop,TS val 588267421 ecr 1000894431], length 0
14:59:22.599288 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 461, win 2045, options [nop,nop,TS val 588267421 ecr 1000894431], length 0
14:59:22.940119 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 527:1279, ack 16, win 227, options [nop,nop,TS val 1000894493 ecr 588267420], length 752: FTP: 230-we strongly encourage you to change them to use HTTPS instead.
14:59:22.940158 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 461, win 2048, options [nop,nop,TS val 588267762 ecr 1000894431,nop,nop,sack 1 {527:1279}], length 0
14:59:23.306122 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 461:527, ack 16, win 227, options [nop,nop,TS val 1000894609 ecr 588267762], length 66: FTP: 230-If you maintain scripts used to access ftp.gnu.org over FTP,
14:59:23.306175 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1279, win 2035, options [nop,nop,TS val 588268127 ecr 1000894609], length 0
14:59:31.587645 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [P.], seq 16:43, ack 1279, win 2048, options [nop,nop,TS val 588276405 ecr 1000894609], length 27: FTP: PORT 192,168,2,101,230,23
14:59:31.833909 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 43, win 227, options [nop,nop,TS val 1000896741 ecr 588276405], length 0
14:59:31.834151 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 1279:1330, ack 43, win 227, options [nop,nop,TS val 1000896741 ecr 588276405], length 51: FTP: 200 PORT command successful. Consider using PASV.
14:59:31.834246 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1330, win 2047, options [nop,nop,TS val 588276649 ecr 1000896741], length 0
14:59:31.834547 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [P.], seq 43:49, ack 1330, win 2048, options [nop,nop,TS val 588276649 ecr 1000896741], length 6: FTP: LIST
14:59:32.149900 IP ftp.gnu.org.ftp-data > 192.168.2.101.58903: Flags [S], seq 1241450827, win 29200, options [mss 1440,sackOK,TS val 1000896802 ecr 0,nop,wscale 7], length 0
14:59:32.150066 IP 192.168.2.101.58903 > ftp.gnu.org.ftp-data: Flags [S.], seq 494738353, ack 1241450828, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 588276962 ecr 1000896802,sackOK,eol], length 0
14:59:32.150158 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 49, win 227, options [nop,nop,TS val 1000896812 ecr 588276649], length 0
14:59:32.456628 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 1330:1369, ack 49, win 227, options [nop,nop,TS val 1000896881 ecr 588276649], length 39: FTP: 150 Here comes the directory listing.
14:59:32.456677 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1369, win 2047, options [nop,nop,TS val 588277268 ecr 1000896881], length 0
14:59:32.457203 IP ftp.gnu.org.ftp-data > 192.168.2.101.58903: Flags [.], ack 1, win 229, options [nop,nop,TS val 1000896881 ecr 588276962], length 0
14:59:32.457210 IP ftp.gnu.org.ftp-data > 192.168.2.101.58903: Flags [P.], seq 1:1335, ack 1, win 229, options [nop,nop,TS val 1000896881 ecr 588276962], length 1334
14:59:32.457213 IP ftp.gnu.org.ftp-data > 192.168.2.101.58903: Flags [F.], seq 1335, ack 1, win 229, options [nop,nop,TS val 1000896881 ecr 588276962], length 0
14:59:32.457260 IP 192.168.2.101.58903 > ftp.gnu.org.ftp-data: Flags [.], ack 1, win 2052, options [nop,nop,TS val 588277268 ecr 1000896881], length 0
14:59:32.457284 IP 192.168.2.101.58903 > ftp.gnu.org.ftp-data: Flags [.], ack 1335, win 2031, options [nop,nop,TS val 588277268 ecr 1000896881], length 0
14:59:32.457301 IP 192.168.2.101.58903 > ftp.gnu.org.ftp-data: Flags [.], ack 1336, win 2031, options [nop,nop,TS val 588277268 ecr 1000896881], length 0
14:59:32.458293 IP 192.168.2.101.58903 > ftp.gnu.org.ftp-data: Flags [F.], seq 1, ack 1336, win 2048, options [nop,nop,TS val 588277269 ecr 1000896881], length 0
14:59:32.701397 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 1369:1393, ack 49, win 227, options [nop,nop,TS val 1000896957 ecr 588276649], length 24: FTP: 226 Directory send OK.
14:59:32.701443 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2047, options [nop,nop,TS val 588277510 ecr 1000896957], length 0
14:59:33.580121 IP 192.168.2.101.58903 > ftp.gnu.org.ftp-data: Flags [F.], seq 1, ack 1336, win 2048, options [nop,nop,TS val 588278387 ecr 1000896881], length 0
14:59:35.013201 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [P.], seq 49:55, ack 1393, win 2048, options [nop,nop,TS val 588279820 ecr 1000896957], length 6: FTP: QUIT
14:59:35.321961 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 55, win 227, options [nop,nop,TS val 1000897597 ecr 588279820], length 0
14:59:35.322265 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [F.], seq 1407, ack 55, win 227, options [nop,nop,TS val 1000897597 ecr 588279820], length 0
14:59:35.322270 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 1393:1407, ack 56, win 227, options [nop,nop,TS val 1000897597 ecr 588279820], length 14: FTP: 221 Goodbye.
14:59:35.322329 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588280128 ecr 1000897597,nop,nop,sack 1 {1407:1408}], length 0
14:59:35.322354 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588280128 ecr 1000897597,nop,nop,sack 1 {1407:1408}], length 0
14:59:35.569089 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 56, win 227, options [nop,nop,TS val 1000897674 ecr 588279820], length 0
14:59:35.569141 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588280374 ecr 1000897597,nop,nop,sack 1 {1407:1408}], length 0
14:59:35.572332 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 56, win 227, options [nop,nop,TS val 1000897674 ecr 588279820], length 0
14:59:35.572385 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588280377 ecr 1000897597,nop,nop,sack 1 {1407:1408}], length 0
14:59:35.618778 IP 192.168.2.101.58903 > ftp.gnu.org.ftp-data: Flags [F.], seq 1, ack 1336, win 2048, options [nop,nop,TS val 588280423 ecr 1000896881], length 0
14:59:35.787693 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [F.], seq 1407, ack 56, win 227, options [nop,nop,TS val 1000897729 ecr 588279820], length 0
14:59:35.787731 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588280591 ecr 1000897597,nop,nop,sack 1 {1407:1408}], length 0
14:59:35.817852 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 56, win 227, options [nop,nop,TS val 1000897737 ecr 588279820], length 0
14:59:35.817911 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588280621 ecr 1000897597,nop,nop,sack 1 {1407:1408}], length 0
14:59:36.032673 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 56, win 227, options [nop,nop,TS val 1000897790 ecr 588279820], length 0
14:59:36.032739 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588280835 ecr 1000897597,nop,nop,sack 1 {1407:1408}], length 0
14:59:36.063703 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 56, win 227, options [nop,nop,TS val 1000897798 ecr 588279820], length 0
14:59:36.063744 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588280866 ecr 1000897597,nop,nop,sack 1 {1407:1408}], length 0
14:59:36.345344 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 56, win 227, options [nop,nop,TS val 1000897852 ecr 588279820], length 0
14:59:36.345398 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588281147 ecr 1000897597,nop,nop,sack 1 {1407:1408}], length 0
14:59:36.345772 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 56, win 227, options [nop,nop,TS val 1000897859 ecr 588279820], length 0
14:59:36.345795 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588281147 ecr 1000897597,nop,nop,sack 1 {1407:1408}], length 0
14:59:36.369886 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [FP.], seq 1393:1407, ack 56, win 227, options [nop,nop,TS val 1000897875 ecr 588279820], length 14: FTP: 221 Goodbye.
14:59:36.369925 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588281171 ecr 1000897875,nop,nop,sack 1 {1407:1408}], length 0
14:59:36.652539 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 56, win 227, options [nop,nop,TS val 1000897930 ecr 588279820], length 0
14:59:36.652579 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588281453 ecr 1000897875,nop,nop,sack 1 {1407:1408}], length 0
14:59:36.652831 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 56, win 227, options [nop,nop,TS val 1000897930 ecr 588279820], length 0
14:59:36.652836 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [.], ack 56, win 227, options [nop,nop,TS val 1000897936 ecr 588279820], length 0
14:59:36.652859 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588281453 ecr 1000897875,nop,nop,sack 1 {1407:1408}], length 0
14:59:36.652876 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [.], ack 1393, win 2048, options [nop,nop,TS val 588281453 ecr 1000897875,nop,nop,sack 1 {1407:1408}], length 0
^C
75 packets captured
120 packets received by filter
0 packets dropped by kernel

家庭网络不是没法接受外部发起的 TCP 连接吗?ftp.gnu.org.ftp-data 怎么可能主动向我的电脑的 58903 发起连接呢?

我的网络:

电信喵 -> 我的路由器 -> 我的电脑

还有电脑上监听 nc -l 0.0.0.0 55555,然后访问 http://我的公网IP地址:55555/ 到不到的了「我的路由器」?

应该是使用了某种内网穿透技术

目测不是,还是用户先发起的请求,你的 tcpdump 第一个数据包:

14:59:22.264321 IP 192.168.2.101.58902 > ftp.gnu.org.ftp: Flags [P.], seq 3973045689:3973045705, ack 2440437920, win 2052, options [nop,nop,TS val 588267089 ecr 1000892404], length 16: FTP: USER anonymous

然后ftp服务器确认

14:59:22.597714 IP ftp.gnu.org.ftp > 192.168.2.101.58902: Flags [P.], seq 1:40, ack 16, win 227, options [nop,nop,TS val 1000894431 ecr 588267089], length 39: FTP: 230-NOTICE (Updated October 13 2017):

rfc959:

230 User logged in, proceed.

The passive data transfer process (this may be a user-DTP or a second server-DTP) shall “listen” on the data port prior to sending a transfer request command.

ftp.gnu.org.ftp 代表 ftp.gnu.org:20 是 FTP 的控制连接,ftp.gnu.org.ftp-data 代表 ftp.gnu.org:21 是 FTP 的数据连接。FTP 同时需要 2 个连接。Active 模式下,客户端通过控制连接告知服务器可用端口,然后服务器对这个端口发起数据连接。

2 个赞

这只能猜测是NAT搞的鬼,而且在这个过程中仅针对地址用了转换(不涉及端口)

貌似的确是 NAT,有些匪夷所思,NAT 居然特意跑去分析 FTP(一个现在基本没人用的协议)的数据块,查找 PORT 命令,进行处理,仅仅是为了支持 Active 模式。

当穿越SNAT的时候,SNAT会把active ip address字段和active port字段改为转换后的IP和端口

https://blog.csdn.net/ever_peng/article/details/89022796#3.3、FTP主动模式穿越SNAT原理

Some routers and firewalls pretend to be smart. They analyze connections and, if they think they detect FTP, they silently change the data exchanged between client and server

https://wiki.filezilla-project.org/Network_Configuration#Malicious_routers.2C_firewalls_and_data_sabotage

再看了下路由器,拨号后电信给分配了私有地址 100.77.174.23,跟 127.0.0.1 一样外网没法访问,所以访问 http://我的公网IP地址:55555/ 只能到电信那里,到不了丢在我家的电信🐱。