FTP server questions


I'm currently trying to set up a home FTP server using debian and proftpd and I've run into a problem that has me confused. I have most things set up already, I believe, but I cannot access my ftp server using my external ip. I've forwarded the correct port on my router and I've checked http://www.yougetsignal.com/tools/open-ports/ to be sure that it is, in fact, opened. I've used telnet locally on my server to check that the port accepts connections. I am able to use ftp via LAN. But, I still cannot access anything externally.

I'm thinking that there's still some router configuration to be done in order to fix this, such as routing all connections on my ftp port to my server via the internal ip, but I can't find any option on my router to do this. Is this a necessary step? There is an option to use DMZ hosting, but I'd rather avoid it if possible. I can provide additional information as requested, please let me know any information that you think could help at all. Thanks.


PS - I have a Telus Actiontec Modem/Router

Update - !! Trying my ftp server out at work, worked! I guess I did set it up correctly after all. What is confusing me, though, is why doesn't the server allow me to connect locally anymore? That seems very weird to me. Also, I don't really understand why I am denied outright if I attempt to connect from the same network using the external address. I'll look into it more when I get home, but thank you guys for your help.

Update 2 - I found the problem with not being able to connect locally anymore. I was setting the masquerade address to my external IP and for some reason that was causing it to hang on MLSD when I connected using my LAN address. I've removed the masquerade address and I'm going to check if I need it at work tomorrow. I'll update this page if I find anything.

Last Update - I've just checked at work and everything is working as planned. I am now able to access the server via the LAN address at home and the external address elsewhere. It strikes me as a bit odd that it still doesn't work for the external address at home, and I don't see why it wouldn't, but there's no negative effect if I'm still able to access it from anywhere. I'm going to mark ultrasawblade's response as the answer because, ultimately, it was because I neglected to set up my passive port range. Thank you both for the help, and I hope my experience helps out someone else.


Posted 2012-07-03T10:55:03.880

Reputation: 95



I've forwarded the correct port on my router and I've checked http://www.yougetsignal.com/tools/open-ports/ to be sure that it is, in fact, opened.

The problem may be is that normally for FTP you need to forward more than one port. FTP users two ports, one for control (tcp 21) and one for data (tcp 20) - if clients connect in "active" mode.

Usually these days clients connect to an FTP server in "passive" mode. This means the server actually connects back to the client for data transfer. On many servers, if you don't specify a range, a random port above 1024 is chosen, meaning you need to pretty much open every port on your firewall. However, at least vsftpd and Filezilla Server on Windows allow you to set a minimum and maximum range of ports the FTP server will use. One port is needed for each possible concurrent client.

There are much easier-to-setup and more secure options of file access than FTP, such as SCP. Consider using them if this is just for you to get your files, or you are dealing with people that can install/use an SCP client.


Posted 2012-07-03T10:55:03.880

Reputation: 63 487

Thanks for your response, I forgot about allowing a passive port range and have now done that in the proftpd.conf file and the sysctl.conf file, although I'm not sure if the second file is necessary. I've added the range to my router's forwarded ports and my iptables firewall ports. Then I restarted everything. Still not working.

I have a bit of other information that might help, though: I tried to reconnect to my ftp server locally again and it seems to hang on the MLSD command before timing out. From what I gather, this has to do with my passive port configuration. Out of room... – Brad – 2012-07-04T07:17:30.013

Let me know if there's anything else that will help to diagnose the problem. Thanks again. – Brad – 2012-07-04T07:19:23.037

It is actually in "Active" mode that the server connects back to the client. "Passive" lets the client initiate both connections. – Terje Mikal – 2012-07-05T17:40:06.517

I'm losing my edge with FTP because I never use it, lol ... I generally perfer SCP. – LawrenceC – 2012-07-05T20:51:02.487


If your computer only have a single ethernet card (i.e. it only connects to the router), then the problem lies within the router, and it's NAT.

Double check your IP, the router's IP table, the static DHCP lease and so on.
(This has nothing to do with proftpd. If it runs on LAN, it's fine.)

One more bit of information: Check your firewall. You may have installed "iptables" on your server. Try disabling it, and check if you can connect that way. To do so:
$ su

$ /etc/init.d/iptables stop


Posted 2012-07-03T10:55:03.880

Reputation: 14 755

(Some times, restarting a router is necessary to get the new rules applied. It can't hurt, worth a try.) – Apache – 2012-07-03T11:03:03.973

Thanks for the response, I do have iptables set up, but it should be configured correctly. Unfortunately, I don't have an entry in init.d for iptables and can't stop it. I did flush the iptables with iptables -F, but it yielded no notable changes over my normal configuration. My static IP is working correctly. I'm not too familiar with the router and I couldn't figure out how to properly set up NAT for my particular router. I'll keep researching, but are there any pointers that you've got or resources that will point me in the right direction for this NAT problem? Thanks again. – Brad – 2012-07-04T07:31:22.793