all ftp clients fail to connect to any server?

[wendallsan]

Hi all,

At some point my Ubuntu 9.10 Desktop install has stopped being able to connect via ftp to servers. I have several servers that I have accounts to and I have several ftp clients installed on my system, including gftp, Filezilla, and command line ftp tools. None of them can connect to any of my servers. This has persisted for a while and I haven't figured out what the problem is, so it's time to start asking.

Here it is from the command line:
> ftp mywebsite.com
ftp: connect: Connection refused

I can connect fine with my netbook running Ubuntu, only my desktop has this problem, and of course I use my desktop for development. Do I have a firewall running or something that's blocking my outgoing requests over port 21? Any advice on how to troubleshoot this would be greatly appreciated.
wendallsan is offline Reply With Quote

[its_really_me]

check the following (you may need to use sudo for the commands):

Code:

ping mywebsite.com

does it respond? You may see the IP address in the output but we will make sure with

Code:

nslookup mywebsite.com

Does the DNS server resolve the name to the correct IP address?
Is the DNS server the one you intended to use?

Code:

ftp [IP-Address]

does it work when you use the IP address of the server?

You may want to post the results of the commands for review and interpretation when you are not sure.

[wendallsan]

Thanks very much for the help. Here are the commands and the output for one of the sites I'm hoping to connect to:

> sudo ping mywashingtonwellness.com

PING mywashingtonwellness.com (75.119.195.225) 56(84) bytes of data.
From 192.168.1.35 icmp_seq=1 Destination Port Unreachable

> sudo nslookup mywashingtonwellness.com
Server: 66.38.1.94
Address: 66.38.1.94#53

Non-authoritative answer:
Name: mywashingtonwellness.com
Address: 75.119.195.225

> sudo ftp 75.119.195.225
ftp: connect: Connection refused

Any ideas? I'm able to hit the site through a web browser, so I believe my DNS is working properly. I tried ftp-ing to IP address 66.38.1.94 (as given in my the result of the nslookup command), but this also returns a "Connection refused" result. Any additional help would be great. Thanks again.

[its_really_me]

So here my analysis:

sudo ping mywashingtonwellness.com
> PING mywashingtonwellness.com (75.119.195.225) 56(84) bytes of data.
> From 192.168.1.35 icmp_seq=1 Destination Port Unreachable

As the server accepts ICMP from my host, I believe a firewall is blocking you here

> sudo nslookup mywashingtonwellness.com
> Server: 66.38.1.94
> Address: 66.38.1.94#53
>
> Non-authoritative answer:
> Name: mywashingtonwellness.com
> Address: 75.119.195.225

So you got a DNS and that one resolves the name to the same IP as my DNS, fine

> sudo ftp 75.119.195.225
> ftp: connect: Connection refused

The response sounds like refusal from the server but I can connect (not logging in due to the missing password )

Any ideas? I'm able to hit the site through a web browser, so I believe my DNS is > working properly.

Yes, it does

I tried ftp-ing to IP address 66.38.1.94 (as given in my the result of the nslookup command), but this also returns a "Connection refused" result.

The DNS response of 66.38.1.94 is the DNS server. You would normally not be able to FTP to it .. 75.119.195.225 is the correct address returned by the DNS server.

I suspect some firewall. let's try iptables

Can you provide the input of

Code:

iptables -L

(using sudo on Ubuntu)

[wendallsan]

Hi and thanks again, this does feel like a firewall problem of some sort to me. Here is the output of iptables -L:

Chain INPUT (policy ACCEPT)
target prot opt source destination
blockcontrol_in all -- anywhere anywhere state NEW mark match !0x14

Chain FORWARD (policy ACCEPT)
target prot opt source destination
blockcontrol_fw all -- anywhere anywhere state NEW mark match !0x14

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
blockcontrol_out all -- anywhere anywhere state NEW mark match !0x14

Chain blockcontrol_fw (1 references)
target prot opt source destination
DROP all -- anywhere anywhere mark match 0xa
RETURN all -- anywhere ns2.blue.net
RETURN all -- anywhere ns1.blue.net
RETURN all -- anywhere ns1.scrtc.com
RETURN all -- 192.168.1.0/24 192.168.1.0/24
NFQUEUE all -- anywhere anywhere NFQUEUE num 92

Chain blockcontrol_in (1 references)
target prot opt source destination
DROP all -- anywhere anywhere mark match 0xa
RETURN all -- anywhere anywhere
RETURN all -- 192.168.1.0/24 anywhere
NFQUEUE all -- anywhere anywhere NFQUEUE num 92

Chain blockcontrol_out (1 references)
target prot opt source destination
REJECT all -- anywhere anywhere mark match 0xa reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
RETURN all -- anywhere ns2.blue.net
RETURN all -- anywhere ns1.blue.net
RETURN all -- anywhere ns1.scrtc.com
RETURN all -- anywhere 192.168.1.0/24
RETURN tcp -- anywhere anywhere tcp dpt:https
RETURN tcp -- anywhere anywhere tcp dpt:www
NFQUEUE all -- anywhere anywhere NFQUEUE num 92

///
thanks again for the help!

[wendallsan]

Still puzzling through iptables, but it is definately the problem. So far I've found this handy command:

iptables -F

which flushes all my iptables rules and essentially turns off my firewall. FTP works after running this command. Not ideal, as I'd like to have my firewall do what I want rather than have to disable it entirely, but at least I can finally FTP to my sites. Any additional help in hunting down the specific iptables rule that's causing me problems would be greatly appreciated. In the meantime I'm continuing to read the documentation and if I'm lucky I'll figure it out soon . . .

thanks again!

[wendallsan]

Yet another update: iptables seems to reload its original settings every few minutes. This means that every few minutes I have to run the iptabels -F command or my FTP stops working again. Annoying. Any help with a permanent solution for this problem?