port mapping
 

Hey there all who are willing to assist:

I have an AirPort Extreme Base Station which is providing wireless network access to my iBook and iMac (both G4). I wish to set up the iMac (Running 10.3.9) as an ftp server without directly connecting to the cable modem (I have DHCP internet sevice with IP assigned to the AEBS). I've read a little on port mapping but remain fogged on how to obtain my desired result. Is there a way I can set up an ftp or ssh request to the AEBS to rout to the iMac for file transfer outside of my local network?

Thanks for your time in this matter

ftp is messy to get through NAT, but ssh and sftp will work by just forwarding port 22.

Make sure to use strong passwords and keep up with security updates.

I am unfamiliar with the term NAT and with using sftp. Also, is file transfer possible with ssh, or is that purely file browsing? How do I set up a port map from my AEBS to my iMac?

A NAT is basically a firewall. (I think) :)

Before opening up ports to the internet, you should definitely read up a bit on networking in general to get a feeling for the dangers and how to do things safely.

NAT is network address translation, but spoon-feeding a complete networking tutorial in forum postings is probably not the best of ideas.

If you are not familiar with the term NAT, setting up your own ftp server is going to be a problem. Ftp is insecure--it sends passwords and usernames in cleartext across the internet, so that anyone on any router in between the end user and you can read them. The ftp server is likely to be hacked. Ftp is also a very difficult protocol to get working through a NAT router.

SFTP is secure ftp. It works like ftp. It is included in OS X--it's part of the OpenSSH suite. It is easy to use through a NAT router, just open port 22. Given the existence of sftp, there's no good reason to use the insecure ftp.

Trevor

You cannot get FTP working through NAT unless your router specifically understands the protocol. FTP uses multiple connections opened in both directions (a control connection from the client to server, and data connections from server to client). There is also passive FTP but it comes with hassles of its own and still requires multiple connections. If there is any way to just use a different protocol you'll find life gets much easier.

As others have said, SFTP is more secure, and much easier to deal with in terms of network configuration. It is NAT-friendly and everything rides on a single connection from client to server.

You cannot transfer files with SSH alone; you need to use some sort of program that sends the file across the SSH connection. But SFTP is exactly such a program (there is also SCP).

I am still wondering if anyone can assist me with my original query:
can I use port mapping to direct sftp request from my AEBS to my iMac?

It's been mentioned above, but maybe you missed it in the midst of the discussions.
You need to configure the AEBS (using Airport Admin) to forward port 22 to your Mac.

I set up the routing to port 22. Now, when trying to ssh to my iMac from another location I get the message "ssh: connect to host *IP* port 22: Connection refused". What's going on?

Do you have "Remote Login" turned on (in Sharing prefs)?

yes, Remote Login is on. I do have a question that I believe to relevant: in the port mapping menu of the AirPort Admin utility, it asks for a public and privat port. At this time, they are set to the same number 22. Is this correct?

Yes - that means that it forwards requests made to port 22 (public) to port 22 (private) on your Mac.

Are you sure that the other routers enroute between where you are doing the SSH and your Mac are all forwarding port 22 ?

The thing is, I can't ssh or ftp to my iMac from within my home either, but I can ssh my brother's iBook and he's 250 miles away.

Outgoing requests are different than incoming requests.
If something isn't working, it is likely a problem with the incoming requests.

You didn't answer my question above about the intervening routers.
E.g. what is your Airport base station connected to?

Oh - are you talking about doing ssh from your iBook to your iMac that is on the same wireless network at home? If so, the port mapping is not relevant. It should work without any port mapping - it just relies on SSH being enabled on the incoming machine (your iMac in this case) and not having any additional firewall rules on that machine that stop the packets (OS X by default will open a hole in the firewall to allow SSH when you turn on SSH in Sharing prefs)

The base station is connected to my cable modem. Here's how it is: the line comes in my house, goes to the cable modem then to the AEBS. My dad has his PC hooked up to the base station inorder to get internet and network access and my iBook and the iMac get access internet and network access through AirPort.

Some "modems" actually act as routers. In that case, you would need to configure port forwarding/mapping on the modem as well if you want people (e.g. you) to be able to access your Mac via SSH from outside your home.

As I said above, if your iBook and iMac are on the same network segment internal to your home network (as you have said they are), then no port mapping is required. Indeed the port mapping on the AEBS is irrelevant in this case - it only applies to packets that come from outside your home network.
The only thing that might be stopping SSH connections between your two home Macs is the firewall on these Macs.

My cable modem is purely, 100%, a modem and does no routing. Also, there is no firewall blocking ssh or ftp. Is there something I could/need to reset to fix this (would resetting the pram have any effects or dangers)? Thanks for all of your help, I just hope it eventually gets us somewhere (you have opened up my knowledge of OS X though and I thank you especially for that).

Could a problem possibly lie in the fact that my iBook has 10.4 and my iMac has 10.3. Is there much difference between the systems, enough to cause pain?

We not still talking about FTP are we? Let's keep it to SSH.

Zapping the PRAM won't hurt anything but it's very unlikely to affect this problem.

Having 10.3 on one machine and 10.4 on the other shouldn't matter.

The first thing you should check is that the SSH server is listening on port 22 on the machine that you want to reach.
E.g. if you are trying to SSH from the iBook into the iMac, then go to the iMac, open a Terminal window and run the following command:

sudo lsof -i -P

Do you see a couple of lines that end with something like the following?
TCP *:22 (LISTEN)

If so, then go back to your iBook and type in the 'ssh' command to login to your iMac (using the "-l" option to specify your username on the iMac)
Read 'man ssh' before doing this.

Add the "-v", "-vv", or "-vvv" options to the 'ssh' command to get more debugging info.

sorry it took so long for me to reply.

When I run the command you specified (sudo lsof -i -P) I get the following message:

sudo: no passwd entry for root!

and nothing more.

This is quite odd.
Have you changed something in your 'sudo' configuration?
Have you changed something in NetInfo Manager?

While you get the sudo thing sorted, you can use

netstat -an

to find out whether sshd runs. It'll work fine for plain admin accounts.

I've never messed with NetInfo Manager and know not how to use it. Also, what is the specified command "netstat -an" supposed to show me; how do I interpret its list?

If you don't know what NetInfo Manager is, chances are, you didn't mess with it...
Copy the first part of the netstat output here, we'll figure it out for you, it shows open ports on your Mac.

Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 10.0.1.4.55594 72.14.223.147.80 ESTABLISHED
tcp4 0 0 10.0.1.4.55591 65.212.92.109.80 ESTABLISHED
tcp4 0 0 10.0.1.4.55587 64.154.80.250.80 ESTABLISHED
tcp4 0 702 10.0.1.4.55581 64.154.80.250.80 FIN_WAIT_1
tcp4 0 0 10.0.1.4.55578 63.245.209.10.80 ESTABLISHED
tcp4 0 0 10.0.1.4.55577 63.245.209.10.80 ESTABLISHED
tcp4 0 0 10.0.1.4.55574 63.245.209.21.80 ESTABLISHED
tcp4 0 0 10.0.1.4.55573 63.245.209.11.80 ESTABLISHED
tcp4 0 0 *.* *.* CLOSED
tcp4 0 0 *.9502 *.* LISTEN
tcp4 0 0 *.* *.* CLOSED
tcp4 0 0 *.427 *.* LISTEN
tcp4 0 0 *.* *.* CLOSED
tcp4 0 0 *.* *.* CLOSED
tcp4 0 0 *.548 *.* LISTEN
tcp46 0 0 *.548 *.* LISTEN
tcp4 0 0 *.80 *.* LISTEN
tcp4 0 0 *.631 *.* LISTEN
tcp4 0 0 127.0.0.1.1033 127.0.0.1.51231 ESTABLISHED
tcp4 0 0 127.0.0.1.51231 127.0.0.1.1033 ESTABLISHED
tcp4 0 0 127.0.0.1.1033 *.* LISTEN
udp4 0 0 *.* *.*
udp4 0 0 *.427 *.*
udp4 0 0 *.* *.*
udp4 0 0 *.* *.*
udp4 0 0 *.631 *.*
udp4 0 0 127.0.0.1.49157 127.0.0.1.1022
udp4 0 0 127.0.0.1.49156 127.0.0.1.1022
udp4 0 0 10.0.1.4.123 *.*
udp4 0 0 127.0.0.1.123 *.*
udp4 0 0 *.123 *.*
udp4 0 0 127.0.0.1.1022 *.*
udp4 0 0 127.0.0.1.49153 127.0.0.1.1023
udp4 0 0 127.0.0.1.1023 *.*
udp4 0 0 *.5353 *.*
udp4 0 0 *.68 *.*
udp4 0 0 127.0.0.1.1033 *.*
udp4 0 0 *.514 *.*
udp6 0 0 *.514 *.*
icm6 0 0 *.* *.*
icm6 0 0 *.* *.*

It looks like you misclicked in the sharing prefpane:
You have web-sharing switched on instead of remote login, just one line down.

I have both web sharing and remote login turned on.

Then there should be a line like the one hayne mentioned in post #19 in the output of netstat.

Check your logs for launch failures of sshd (uncheck and check again remote login in the sharing prefpane) and post the contents of /etc/sshd_config and the result of

grep ssh /etc/services

.