FTP是File Transfer Protocol(文件传输协议),它有两种工作模式,分别是主动模式(post)和被动模式(passive)
PORT(主动模式)
FTP客户端连接到FTP服务器的21端口,发送用户名和密码登录,登录成功后要list列表或者读取数据时,客户端随机开放一个端口(1024以上),发送 PORT命令到FTP服务器,告诉服务器客户端采用主动模式并开放端口;FTP服务器收到PORT主动模式命令和端口号后,通过服务器的20端口和客户端开放的端口连接,发送数据。
PASV(被动模式)
FTP客户端连接到FTP服务器的21端口,发送用户名和密码登录,登录成功后要list列表或者读取数据时,发送PASV命令到FTP服务器, 服务器在本地随机开放一个端口(1024以上),然后把开放的端口告诉客户端, 客户端再连接到服务器开放的端口进行数据传输。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| [iyunv@localhost mnt]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
[iyunv@localhost mnt]# iptables -I OUTPUT -p tcp --sport 22 -j ACCEPT
[iyunv@localhost mnt]# iptables -P OUTPUT DROP
[iyunv@localhost ~]# iptables -I INPUT -p tcp --dport 21 -j ACCEPT
[iyunv@localhost ~]# iptables -I OUTPUT -p tcp --sport 20:21 -j ACCEPT
[iyunv@localhost ftp]# netstat -anpt | grep vsftp
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 1895/vsftpd
tcp 0 0 192.168.60.20:21 192.168.60.10:13153 ESTABLISHED 2066/vsftpd
|
2. 工作在被动模式下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| [iyunv@localhost ftp]# vi /etc/vsftpd/vsftpd.conf
pasv_enable=yes //开放FTP PASV模式;
pasv_min_port=24500 //开放数据连接端口号24500—24600之间;
pasv_max_port=24600
[iyunv@localhost ftp]# service vsftpd restart
关闭 vsftpd: [确定]
为 vsftpd 启动 vsftpd: [确定]
[iyunv@localhost ftp]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
[iyunv@localhost ftp]# iptables -I INPUT -p tcp --dport 20:21 -j ACCEPT
[iyunv@localhost ftp]# iptables -I INPUT -p tcp --dport 24500:24600 -j ACCEPT
[iyunv@localhost ftp]# iptables -I OUTPUT -p tcp --sport 21 -j ACCEPT
[iyunv@localhost ftp]# iptables -I OUTPUT -p tcp --sport 24500:24600 -j ACCEPT
[iyunv@localhost ftp]# netstat -anpt | grep vsftp
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2543/vsftpd
tcp 0 0 192.168.60.20:24537 0.0.0.0:* LISTEN 2618/vsftpd
tcp 0 23400 192.168.60.20:24537 192.168.60.10:13417 ESTABLISHED 2620/vsftpd
tcp 0 0 192.168.60.20:21 192.168.60.10:13415 ESTABLISHED 2618/vsftpd
|
注意:FTP的工作模式是基于客户端而定,网上有很多这种更改模式的客户端软件(我这里使用的是CuteFtp)
|