Cannot connect to FTP server from external host

I have a FTP server (vsftpd) setuped on a Linux box (Ubuntu server). When I try to connect with a computer on the same network everything works fine as expected.

But as soon the IP is external it won't connect..

I first assumed the port was blocked, but then:

localserver:$ sudo tail -f /var/log/vsftpd.log
Wed Jan 13 14:21:17 2010 [pid 2407] CONNECT: Client "xxx.xxx.107.4"
remotemachine:$ netcat svn-motion.no-ip.biz 21
220 FTP Server

And it hangs there. Do any ports other than 21 need to be open?

h3.

Posted 2010-01-13T19:21:32.100

Reputation: 189

Answers

When putting an FTP server behind a NAT, you not only have to forward port 21/TCP to the server, you also need a NAT gateway that has an FTP ALG that supports FTP servers behind the NAT (note: this is a rare feature, and rarely advertised on the box or on the tech specs page or even in the manual), and knows to watch the FTP control data stream for commands from clients that indicate the client wants the FTP server to use passive mode (where the FTP server starts listening for a data TCP connection on another port, sends that port number to the client, and passively waits for the client to initiate data TCP connection to the server). The FTP ALG has to watch for what port the server told the client to connect on, and then automatically create a temporary port forwarding entry to allow that connection to get to the server.

Basically, Passive mode FTP, which is great when the client is behind a NAT, is a big problem when the server is behind the NAT. If it turns out that your client is NOT behind a NAT, then tell your client to use traditional "active" mode FTP, and you don't need to have a sophisticated "server behind the NAT" FTP ALG in your NAT gateway.

Another option would be to make your FTP server be your DMZ host (a.k.a. "default host", "bastion host"). Since all unexpected incoming connection attempts are forwarded to the DMZ, all those passive mode FTP data TCP connections would automatically go do your FTP server.

Spiff

Posted 2010-01-13T19:21:32.100

Reputation: 84 656

Are you trying to connect to the server's external IP from an internal computer? If so, and if you are using a typical home router in a NAT configuration, the problem may actually be the router.

Presumably you've configured the router to forward FTP to the Ubuntu server, and you're trying to test that this works. But when you test the external IP directly from your internal network, your router has to support a "hairpin" route. Your router must send traffic from an internal host, out through the external IP, back into the external IP, and finally forward that back to your server's internal IP -- all on the same device. Most consumer routers don't handle this situation properly.

So you need test from a real external host. You have several options:

Use an internet port-testing service like Can You See Me.
Send your test traffic through a proxy.
Have a friend test from their network.
Find a local coffeeshop with WiFi and test from there.

quack quixote

Posted 2010-01-13T19:21:32.100

Reputation: 37 382

If the server is behind any type of firewall you may need to make sure the remotemachine is using FTP Passive mode.

SleighBoy

Posted 2010-01-13T19:21:32.100

Reputation: 2 066

sftp does not use multiple connection, it only use 21 and thus is passive by default. – h3. – 2010-01-13T19:35:45.457

if you are using SFTP then the default port would probably be 22 – quickcel – 2010-01-13T19:40:46.537

Oh, right.. when using ftp only I get "Unknown server error" – h3. – 2010-01-13T19:43:51.523

When using the IP directly it works .. – h3. – 2010-01-13T20:18:36.337