0

I have had a lot of issues when I started setting up a vsftpd server, but this time I can't figure out what exactly is wrong.

I have an ubuntu 14.04 server at work running the vsftpd. The server is behind a firewall in a DMZ and has been assigned a specific internal and global IP address. Connecting from localhost as well as from the internal network works.

So far so good, but when I try to access the FTP server through its global IP address, be it from the internal network or anywhere else, FileZilla just gives me this:

Status:         Connecting to <global.ip>:21...
Status:         Connection attempt failed with "ECONNREFUSED - Connection refused by server".
Error:          Could not connect to server

I can exclude a wrong IP address being the cause, because entering a nonexisting IP results in a timeout error and running a whois check on the global IP gives me our company internet service provider.

I have set up the passive ports in the 50.000 range inside the vsftpd.conf, also the firewall will forward requests that come from ports 20, 21 and 50.000-50.050. Then again I added a few rules to the iptables configuration to let through the desired traffic.

For reference, here is my iptables setup:

~$ sudo iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere
tcp dpts:50000:50050
ACCEPT     tcp  --  anywhere             anywhere
tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere
tcp dpt:ftp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere
tcp spt:ftp-data

And my vsftpd.conf:

listen=YES
local_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
idle_session_timeout=600
ftpd_banner=Welcome
chroot_local_user=YES
ls_recurse_enable=YES
secure_chroot_dir=/var/run/vsftpd/empty

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_ciphers=HIGH

rsa_cert_file=/home/awacs/vsftp.crt
rsa_private_key_file=/home/awacs/vsftp_clear.key

#pasv_address=<global.ip>
pasv_min_port=50000
pasv_max_port=50050
listen_port=21
pasv_enable=YES
#listen_address=<global.ip>

As you can see I tried the pasv_address and listen_address parameters in the config. listen_address results in the server only taking requests from the global IP, which makes it not respond at all. Setting pasv_address was also unsatisfying because external requests still didn't work and connections from the internal network got stuck at the directory LIST command.

If anyone can tell me what I did wrong or overlooked, i would be more than happy. I emphasize again that the server is working perfectly from the internal network but I cannot get it to connect over the global IP. Thank you in advance.

awacs
  • 1
  • 1
  • 1
  • usual test to limit the scope: same error with disabled iptables? – Dennis Nolte Nov 25 '14 at 12:58
  • You need to look at _the other firewall_. – Michael Hampton Nov 25 '14 at 13:18
  • I have no direct access to the company firewall, but i have relayed my requests concerning port forwarding to our administrator. This was necessary from the beginning because as stated, the FTP server and I are in different subnets (DMZ and internal network respectively) with the firewall between them. Requests to ports 20 and 21 are forwarded, as well as ports 50.000 to 50.050 which I set up for the FTP passive mode. Regarding iptables: The reason i have added some rules is because it did not work without them to begin with. I will check nevertheless some time later. – awacs Nov 25 '14 at 14:00

0 Answers0