is it impossible to tunnel ftp?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
i have a firewall, iptables on linux redhat 9.
behind it i have one ftp server(windows) and one webserver (windows).

i have tried to make a SSH-tunnel to the ftp-server, tried both
with putty on windows and with ssh on a FreeBSD like this:
ssh -L 2121:ftp.server.ipnum:21 sshhostipnum

the problem seems to be ftp-data, login works just fine, but
when i print "ls" or anything else i get "500 Invalid PORT Command "

it works from the ssh-shell to the ftp server.

what am i doing wrong?


Re: is it impossible to tunnel ftp?

Quoted text here. Click to load it

FTP needs a data port for returning data (eg the output of your "ls" or
the contents of a file).  This connection is either server-to-client (in
the case of "active mode") or client-to-server ("passive mode").  In
active mode, the connection is from port 20 on the server to a port
specified by the client.  In passive mode, it's from a random port
on the client to a random port specified by the server.[0]

Your port forward doesn't provide either (and it would ne difficult to

You might be able to get it to work if your ssh client supports socks
(for OpenSSH this is DynamicForward, some other clients have a similar
capability).  Set the client to use socks and passive mode.

[0] Hopefully I got those right, it's been a while since I looked at it.
Go read the FTP specs to be certain.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Site Timeline