I have had a lot of issues when I started setting up a vsftpd server, but this time I can't figure out what exactly is wrong.
I have an ubuntu 14.04 server at work running the vsftpd. The server is behind a firewall in a DMZ and has been assigned a specific internal and global IP address. Connecting from localhost as well as from the internal network works.
So far so good, but when I try to access the FTP server through its global IP address, be it from the internal network or anywhere else, FileZilla just gives me this:
Status: Connecting to <global.ip>:21...
Status: Connection attempt failed with "ECONNREFUSED - Connection refused by server".
Error: Could not connect to server
I can exclude a wrong IP address being the cause, because entering a nonexisting IP results in a timeout error and running a whois check on the global IP gives me our company internet service provider.
I have set up the passive ports in the 50.000 range inside the vsftpd.conf, also the firewall will forward requests that come from ports 20, 21 and 50.000-50.050. Then again I added a few rules to the iptables configuration to let through the desired traffic.
For reference, here is my iptables setup:
~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere
tcp dpts:50000:50050
ACCEPT tcp -- anywhere anywhere
tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere
tcp dpt:ftp
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere
tcp spt:ftp-data
And my vsftpd.conf:
listen=YES
local_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
idle_session_timeout=600
ftpd_banner=Welcome
chroot_local_user=YES
ls_recurse_enable=YES
secure_chroot_dir=/var/run/vsftpd/empty
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_ciphers=HIGH
rsa_cert_file=/home/awacs/vsftp.crt
rsa_private_key_file=/home/awacs/vsftp_clear.key
#pasv_address=<global.ip>
pasv_min_port=50000
pasv_max_port=50050
listen_port=21
pasv_enable=YES
#listen_address=<global.ip>
As you can see I tried the pasv_address
and listen_address
parameters in the config.
listen_address results in the server only taking requests from the global IP, which makes it not respond at all. Setting pasv_address was also unsatisfying because external requests still didn't work and connections from the internal network got stuck at the directory LIST command.
If anyone can tell me what I did wrong or overlooked, i would be more than happy. I emphasize again that the server is working perfectly from the internal network but I cannot get it to connect over the global IP. Thank you in advance.