获取“我不会打开连接到”从Google Compute Engine连接到FTP服务器时 [英] Getting "I won't open a connection to" when connecting to FTP server from Google Compute Engine
问题描述
我把我的计算引擎的虚拟机ssh移到了另一台服务器上。它问我的用户名和密码,我可以登录没有问题。但是当我执行 ls 或 get 时,我收到此错误:
500我不会打开到10.240.XX.XX的连接(仅限于XX.XX.XX.XX)
ftp:bind:地址已经在使用
10.240.XX.XX是我在 ifconfig中看到的内部IP地址结果。
如何使用FTP从其他服务器传输文件?
系统:Debian7
您正在使用FTP的主动模式连接到运行Pure-FTPd的服务器。在主动模式下,服务器必须连接回客户端才能打开数据传输连接(用于文件传输或目录列表)。为此,客户端在 PORT 命令中将其IP地址发送到FTP服务器。
如果FTP服务器不在GCE专用网络中,因为机器位于防火墙和NAT之后,所以显然无法连接回客户机。实际上,Pure-FTPd显式检查 PORT 命令中的IP地址是否与客户端的IP地址匹配FTP控制连接。如果客户端在GCE网络内发送其内部IP地址,它将不匹配。如果出现这种情况,Pure-FTPd服务器拒绝直接传输(甚至没有尝试连接)并显示错误消息,您将得到:
我不会打开连接...(仅限于...)
(其中第一个 ... 是客户端在 PORT 命令中提供的IP地址[GCE专用网络内的本地地址) ,第二个 ... 是服务器所知的客户端的外部[NAT] IP地址。)
即使客户端在 PORT 命令中报告了外部[NATed]地址,它仍然将无法正常工作,因为连接尝试不会超过NAT和防火墙。
由于这个原因,存在被动FTP模式,客户端连接到服务器打开数据传输连接。实际上,现在没有人使用主动模式。
请参阅(我的文章) FTP连接模式了解有关模式的详细信息。
因此,切换到被动模式。如何做到这一点是客户特定的。-
在最常见的* nix
ftp命令行客户端,使用-p命令行开关,尽管无论如何都默认使用被动模式:
-p使用被动模式进行数据传输。允许在防火墙阻止来自外部世界的
连接回到客户端机器的环境中使用ftp。要求ftp服务器支持
端口PASV命令。这是所有客户端(ftp和pftp)的默认值,因为使用PORT传输模式的安全性
。该标志仅保留兼容性,不再具有
的作用。
-
有些客户端还支持
被动命令。
I ssh'ed to my compute engine's VM and want to ftp to another server from there. It asked my username and password, I could login without problem. but when I do ls or get, I receive this error:
500 I won't open a connection to 10.240.XX.XX (only to XX.XX.XX.XX)
ftp: bind: Address already in use
That 10.240.XX.XX is my internal IP address I saw in ifconfig result.
How can I transfer files from another server using FTP? System: Debian7
You are using the active mode of FTP to connect to a server running Pure-FTPd. In the active mode, a server has to connect back to a client to open a data transfer connection (for file transfers or directory listing). For that, the client sends its IP address to the FTP server in the PORT command.
If the FTP server is outside of the GCE private network, it obviously cannot connect back to the client machine, as the machine is behind a firewall and NAT.
And actually the Pure-FTPd explicitly checks that the IP address in the PORT command matches the client IP address of the FTP control connection. It won't match, if the client sends its internal IP address within the GCE network. If this case, the Pure-FTPd server rejects the transfer outright (without even trying to connect) with the error message, you are getting:
I won't open a connection to ... (only to ...)
(where the first ... is the IP address provided by the client in the PORT command [the local address within the GCE private network), and the second ... is the external [NATed] IP address of the client, as known by the server).
Even if the client reported the external [NATed] address in the PORT command, it still won't work as the connection attempt won't get past the NAT and firewall.
For this reason, the passive FTP mode exists, in which the client connects to the server to open the data transfer connection. Actually, noone uses the active mode nowadays.
See (my article) FTP connection modes for details about the modes.
So, switch to the passive mode. How this is done is client-specific.
In most common *nix
ftpcommand-line clients, use the-pcommand-line switch, though the passive mode is used by default anyway:-pUse passive mode for data transfers. Allows use of ftp in environments where a firewall prevents connections from the outside world back to the client machine. Requires that the ftp server sup- port the PASV command. This is the default now for all clients (ftp and pftp) due to security concerns using the PORT transfer mode. The flag is kept for compatibility only and has no effect anymore.Some clients also support
passivecommand.
这篇关于获取“我不会打开连接到”从Google Compute Engine连接到FTP服务器时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
