0

This is a reposting of my question on the CentOS Forums here a I am feeling quite in over my head here and StackExchange has been good to me in the past.

I am having some trouble connecting to my server via FTP. I am using the ISPConfig backend (which is unfamiliar to me) and I have had a Google to see if I can setup FTP properly. ISPConfig says that my FTP service is running.

I get the following two errors depending on where I try to connect from:

https://ftptest.net/

Error: Could not connect to server: No route to host
Make sure to enter the correct server address
Ensure that the server is up and running.
Check your firewall configuration, port 21 needs to be opened.
Check your NAT router configuration, port 21 needs to be forwarded.
In some cases your ISP might block that port. In this case configure the server to use a different port. Contact your ISP for details.

Filezilla

Status:         Connection attempt failed with "ECONNREFUSED - Connection refused by server".

I have done a ping test to my host name and it resolves (96ms so it's not getting lost)

Below are my conf files that I think are relevant:

I did a quick search on how to load the module, as it was already in my proftpd.conf file and came across this answer on ServerFault after running the command this is my output /etc/rc.d/rc.sysinit output

UPDATE

I can confirm Port 21 is open as I get the following from netsat

tcp    0    0    :::21    :::*    LISTEN    1069/proftpd

I tried using the ftp command in terminal and this is my response

computer:~ user$ ftp IP-ADDRESS
ftp: Can't connect to `IP-ADDRESS': Connection refused

tl;dr

I can't connect via FTP and I have no idea what's happening...

edits

  • 30 Oct 14-1: Updated my conf files to show my progress
  • 30 Oct 14-2: Added iptables -L -n output
Community
  • 1
Joshua
  • 147
  • 1
  • 1
  • 8

1 Answers1

1

Tracepath shows no problem reaching the host itself (taken the hostname from your config file). But when trying to reach port 21 of your host tcpdump shows:

07:18:15.545762 IP my.router.48912 > your.host.ftp: Flags [S], seq 1872206172, win 29200, options [mss 1460,sackOK,TS val 621547848 ecr 0,nop,wscale 7], length 0
07:18:16.034781 IP your.host > my.router: ICMP host your.host unreachable - admin prohibited, length 68

The reason are probably your iptables rules, which specify no specific INPUT handling for port 21, but only for 22 (ssh) and 8080:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited

Thus it falls through to the icmp-host-prohibited line, which will cause the "ICMP host your.host unreachable - admin prohibited, length 68" as seen above.

I don't know how to fix this with ISPConfig, but you need to add at least a rule for port 21. And, if you want to allow passive ftp mode you need to also allow much more, see https://unix.stackexchange.com/questions/93554/iptables-to-allow-incoming-ftp. Passive mode is needed if any of your clients can not use active mode because they are behind some firewall or router, which includes most users behind a home router and also on most mobile networks.

And make sure that the iptables rules are actually activated.

Community
  • 1
Steffen Ullrich
  • 12,227
  • 24
  • 37
  • hi, thanks for your answer it gave me a lot to go on however it hasn't seemed to work :( I have updated my post with some of what I have done today (including updated files and proof that port 21 is open) – Joshua Oct 30 '14 at 03:09
  • Can you do a `iptables -L -n` on the system to see which firewall rules are actually in use? BTW, with `from telnet` you probably mean the `from netstat` – Steffen Ullrich Oct 30 '14 at 05:32
  • Hi, I have added the output you requested and corrected the mistake, thank you heaps. – Joshua Oct 30 '14 at 05:37
  • 1
    That's strange: your active iptables rules do not reflect your config. There is a rule which allows every input and the rules for FTP are after the icmp reject rule. The accept rules for output are wrong since they must refer to source port not destination port (they are wrong in the original post). But that does not matter, because your default policy is to allow any kind of output anyway (which is good at this moment). Could you please bring the system into a state where the iptables config matches the iptables rules and then test again and update the post? – Steffen Ullrich Oct 30 '14 at 06:02
  • Hi, I reloaded and restarted the `isptables` service and there was an error (`*filters` was called twice) and I could connect. However my credentials now do not confirm, and I recreated the account incase all my mucking about broke it. – Joshua Oct 30 '14 at 06:16
  • Turns out ProFTPD doesn't work with ISPConfig 3 after all that. I managed to get it to connect with a literal user but ISPConfig 3 is all about the virtual users so they can't talk. Also, add your solution as an answer Steffen and I'll accept it. – Joshua Oct 30 '14 at 07:54