Community discussions

MikroTik App
  4. RouterOS
  5. Scripting

unable to upoad file usign FTP on version <6.47?

Post Reply
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

unable to upoad file usign FTP on version <6.47?

Thu Dec 23, 2021 1:15 pm

Hello,
starge problem
I have this simple code to upload file to router using Python
Code: Select all
ftp = FTP('10.0.0.1', timeout=60)
    try:
        ftp.login(user='user', passwd='pass')
    except error_perm as msg:
        print(f"FTP error: {msg}")
        return "Wrong User or Password"
    except Exception as e1:
        print(e1)
        print("Error in FTP Login!")
        return "Unknown Error"
    else:
        try:
            file_to_upload = open(filename, 'rb')
            ftp.storbinary('STOR test.txt', file_to_upload)
            UploadOk = "OK"
            return "FTP success"
        except Exception as e:
            print('my error')
            print(e)
            UploadOk = "Problem"
            return "FTP Error " + str(e)
        finally:
            print("status " + UploadOk)
            file_to_upload.close()
            ftp.close()
I'm trying to upload simple txt file
when I run the code for router on version 6.47 - the file is uplaod and working
when I try to use older version 6.36 \ 6.40
I can see it mange to enter the router but unablr to uplaod the file
this is the error I'm getting
Code: Select all
FTP Error [WinError 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond
I have try all kind of types of files - smae thing (V6.47 - working . older version not working )

what could be the reason for it ?
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: unable to upoad file usign FTP on version <6.47?

Thu Dec 23, 2021 2:34 pm

Are you sure it's just RouterOS version and not different firewalls on different devices? FTP uses not only one main connection, but opens new one for each file transfer or even directory listing, which can be established from client to server (passive mode) or from server to client (active mode), so there's enough things that can easily go wrong. So check that, and if you don't find anything there, packet sniffer is your friend.

And in case it would be caused by RouterOS version (very unlikely), you can always upgrade your museum to something newer.
Top
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: unable to upoad file usign FTP on version <6.47?

Thu Dec 23, 2021 2:39 pm

i have found the problem -
in the firewall I have open ports: 21,22,8291 TCP only
all other are "block"

this is what I have done:
Code: Select all
/ip firewall filter
add action=accept chain=input dst-port=21,22,8728,8291 log-prefix="" protocol=\
    tcp src-address=10.0.0.0/24
add action=drop chain=input disabled=yes log-prefix="" protocol=tcp
I thought it will be good to block unwanted connection to my router
how can I make it work ? (except remove the firewall rule....)

Thanks ,


***
if I keep only this - will it be OK?
Code: Select all
/ip service
set telnet disabled=yes
set ftp address=10.0.0.0/24
set www disabled=yes
set ssh address=10.0.0.0/24
set api address=10.0.0.0/24
set winbox address=10.0.0.0/24
set api-ssl disabled=yes
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: unable to upoad file usign FTP on version <6.47?

Thu Dec 23, 2021 6:55 pm

It's best to use standard stateful firewall like this:
Code: Select all
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
# what to allow:
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-port=21,22,8728,8291 protocol=tcp src-address=10.0.0.0/24
# add other things you want to allow, e.g. DNS for LAN, etc.
# block the rest:
add action=drop chain=input
The thing that allows data connections for FTP is connection-state=related.
Top
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: unable to upoad file usign FTP on version <6.47?

Sun Dec 26, 2021 10:25 am

Great ,
Thanks
Top
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: unable to upoad file usign FTP on version <6.47?

Wed Dec 29, 2021 5:17 pm

small question

my router config as hotspot to WiFi users (no need for them to be able to connect to the router )

I did what you told me , and added my own gre\openvpn\lt2p setting
Code: Select all
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="Allow Local Netwrok" src-address=10.0.0.0/24
add action=accept chain=input comment="Allow ping" protocol=icmp
add action=accept chain=input comment="Allow Connection to router" dst-port=21,8291 protocol=tcp
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment=OpenVPN dst-port=1194 protocol=tcp 
add action=accept chain=input comment="Allow L2TP VPN (500,4500,1701/udp)" dst-port=500,1701,4500 in-interface=ppp-out1 protocol=udp
add action=accept chain=input comment="Allow GRE" protocol=gre
add action=add-src-to-address-list address-list=DropTCP address-list-timeout=1h chain=input comment="Drop Unknwon TCP Connection to Router"
add action=drop chain=input


/ip service
set telnet disabled=yes
set ftp address=10.0.0.0/24, 192.168.30.0/24
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=10.0.0.0/24, 192.168.30.0/24
set api-ssl disabled=yes

do I need to add anything else?
or this good for normal hotspot work?
I'm asking because it took me some time to understand I need to open DNS port to the router
****
10.0.0.0/24 is the local netwrok ethernet
192.168.30.0/24 is the vpn netwrok (openvpn\lt2p\gre)

Thanks ,
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: unable to upoad file usign FTP on version <6.47?

Thu Dec 30, 2021 6:29 am

It may be slightly better to limit access to FTP and WinBox using firewall, e.g. with in-interface=<where they should be available>. Limiting sources in "/ip service" works too, but the port is open from everywhere and a service listening on it checks client's source address. So in theory there could be some bug in that service and then it could be exploited. But it's not very likely.

You allow DNS from everywhere, which is probably ok, if the router is only in internal networks. But if it's accessible also from internet, you definitely don't want to allow DNS from there.

If you have L2TP/IPSec, then L2TP (port 1701) should be accepted only encrypted, so you want to split that rule and add ipsec-policy=in,ipsec (but only for 1701, not for 500 and 4500).

Do you really use GRE for anything?

The DropTCP list doesn't seem to be doing anything useful.

And if you have hotspot, it probably needs also web server, if it's not handled by some automatic built-it rules (I'm not very familiar with it, so I'm not sure).
Top
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: unable to upoad file usign FTP on version <6.47?

Thu Dec 30, 2021 10:32 am

the GRE is old - not used any more , I will remove it
about this:
You allow DNS from everywhere, which is probably ok, if the router is only in internal networks. But if it's accessible also from internet, you definitely don't want to allow DNS from there.
it's accessible from the internet (it have a dynamic public IP) , so what sould I do?

Thanks ,
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: unable to upoad file usign FTP on version <6.47?

Thu Dec 30, 2021 2:51 pm

Don't allow it from there. Add for example in-interface-list=LAN (if you have such list), or you can have multiple rule with in-interface=<some internal interface>, or src-address=<subnet>, or src-address-list=<list with multiple subnets>, although addresses are not ideal, because if some spoofed udp packets came from internet, it would be as if the port was open.
Top
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: unable to upoad file usign FTP on version <6.47?

Sun Jan 02, 2022 3:23 pm

to allow only request from Wireless users?
in interfacce = wlan

and what about the router itself?
I allow this , if I ping www.cnn.com from the terminal I get no replay
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: unable to upoad file usign FTP on version <6.47?

Sun Jan 02, 2022 5:14 pm

It's up to you. You know what interfaces you have and from where you need it to work. It may be wlan, or some bridge for LAN, or anything else, I don't know, you do. If it's more than one interface, then either add rules for each, or you can create interface list and use that.

Router itself shouldn't have any problem. If you don't block anything in chain=output, then outgoing queries are fine. And responses are covered by the first rule with connection-state=established, if you added that.
Top
 
David1234
Forum Guru
Forum Guru
Topic Author
Posts: 1424
Joined: Sun Sep 18, 2011 7:00 pm

Re: unable to upoad file usign FTP on version <6.47?

Wed Jan 05, 2022 12:03 pm

Great
Thanks!
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 6 guests
  4. RouterOS
  5. Scripting