Find the answer to your Linux question:
Results 1 to 2 of 2
Hello! Before describing my exact problem, I'll like to show my setup, so that you can see, how those machines are connected together: <LAN client w. public IP>----L-A-N----<FTP Server w. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2008
    Location
    Austria
    Posts
    2

    Post vsftpd with connections from outside not working


    Hello!

    Before describing my exact problem, I'll like to show my setup, so that you can see, how those machines are connected together:


    <LAN client w. public IP>----L-A-N----<FTP Server w. public IP>----I-N-E-T----<NAT Router>----<Client with private IP>

    The first Client on the left and the FTP server are within the same network, wich is 193.171.81.0/24. This is a university network, so no private IPs. Every IP can be "switched" online (direct INet Access) via some Cisco Hardware that I have no access to.

    Suffice to say, the FTP server is connected directly to the internet, and services like SSHD are reachable from everywhere on the web without any portmapping or DMZ.

    So, i can access my vsftpd server from everywhere within the 193.171.81.0/24 network fine (both PASV & PORT work), but when connecting through the Internet, things stop working. I tried to connect from the machines <NAT Router> and <Client with private IP> shown above using PASV mode as well as PORT mode, always the same problem.

    I have limited the PASV Port Range on the vsftpd to 60000-60050 and opened Ports 20,21 and 60000-60050 on the iptables on the FTP server machine. Outgoing connections are limited to source port 20. I also tried with iptables OFF just to make sure, doesn't work either.

    FlashFXP as Client from the <Client with private IP> machine says this:
    [R] Connecting to <host> -> DNS=<hostname> IP=<IP address> PORT=21 (attempt #1)
    [R] Connected to <host>
    [R] Connection failed (Connection lost)
    Server configuration file (i cut out all the comments to make it shorter):
    anonymous_enable=NO
    local_enable=YES
    write_enable=YES
    local_umask=022
    dirmessage_enable=YES
    xferlog_enable=YES
    ftp_data_port=20

    vsftpd_log_file=/var/log/vsftpd.log
    xferlog_file=/var/log/vsftpd_xfer.log
    xferlog_std_format=NO
    log_ftp_protocol=YES

    idle_session_timeout=1200
    data_connection_timeout=12000

    ftpd_banner=Welcome to our FTP Service.

    chroot_list_enable=YES
    chroot_local_user=YES
    chroot_list_file=/etc/vsftpd/chroot_list

    listen=YES
    listen_port=21
    listen_address=<IP address cut out for security reasons>

    pam_service_name=vsftpd
    userlist_enable=YES
    userlist_deny=NO
    tcp_wrappers=NO

    pasv_enable=YES
    pasv_promiscuous=NO
    port_enable=YES
    port_promiscuous=NO
    pasv_min_port=65000
    pasv_max_port=65050
    pasv_address=<IP address cut out for security reasons>

    session_support=YES
    text_userdb_names=YES

    max_clients=20
    max_per_ip=5

    hide_file={*.mp2,*.mp4,*.m4a,*.mp3,*.ogg,*.mpeg,*. mpg,*.avi,*.mov,*.mkv,*.ogm,*.flv,*.swf,*.vob,*.ac 3,*.ts}
    deny_file={*.mp2,*.mp4,*.m4a,*.mp3,*.ogg,*.mpeg,*. mpg,*.avi,*.mov,*.mkv,*.ogm,*.flv,*.swf,*.vob,*.ac 3,*.ts}
    As said, from the same network that the FTP server resides on, everything works. As you can see, I have even disabled tcp_wrappers to further loosen security, besides trying with firewall off of course. From the <Client with private IP> above I can connect to other public FTP servers fine using PASV mode (as always from a client behind a NAT FW), so client config should be ok.

    I don't know what to change on the servers configuration to make this work. I can't even get a control connection obviously, not even daring to talk about a data connection here...

    Although FlashFXP on the client side says "Connected", vsftpd logfiles show no activity there. No nothing. When i telnet to the FTP server from outside, i get the connection, but nothing seems to be coming through from the FTP server (or to the FTP server..). He doesn't even send me the welcome notice.

    Actually, since both the server and the server-side LAN use public IP ranges, i don't understand where the "real" difference is between the "LAN" client and the outside client other than different IP Ranges.

    I have to add, that it might be, that there is some advanced Cisco firewall between the FTP server and the "real" outside world maybe doing packet inspection and filtering, that i do not know. But HTTP, HTTPS, SSH and even SQL connections come through from the outside world to the FTP server machine, so i suspect the vsftpd configuration somehow...

    Any ideas?

    Thanks.
    Last edited by GrandAdmiralThrawn; 05-07-2008 at 10:25 AM. Reason: addendum

  2. #2
    Just Joined!
    Join Date
    May 2008
    Location
    Austria
    Posts
    2

    Post Solved

    Problem solved.

    There was a Cisco Firewall doing stateful packet inspection between my server and the Internet. The FW was configured to block FTP control connections (and data connections too i guess).

    I requested that to be switched off for my FTP server, and now everything works fine.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •