?
Solved

vsftpd Restricted Networks and NAT

Posted on 2006-04-21
14
Medium Priority
?
1,185 Views
Last Modified: 2007-12-19
I'm trying to get a standalone FTP server running behind a residential cable modem - ports 20 - 21 are blocked, I can successfully login to this server on my local network on port 2121 "open 192.168.1.7 2121" but I have not been able to get access from the outside world. I have port forwarding enabled in my linksys router and I am forwarding ports 2121 to 2199. If it matters this is a Redhat enterprise installation.


anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
listen_port=2121
pasv_enable=yes
pasv_min_port=2122
pasv_min_port=2199
xferlog_std_format=YES
pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES
0
Comment
Question by:Cyberflunky
14 Comments
 
LVL 2

Expert Comment

by:guruyaya
ID: 16509016
Lets start with that comment I should have written to another guy:
write in your terminal (Then add to the rc.local if it helps)

modprobe ip_conntrack_ftp

It should add a module that opens new connections in your ftp, and allows it to work with a firewall.
Have a nice day
Yair
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 16509034
in the linksys you make a 2121 to 2199 ???   if that correct your ftp server need to listen in 2199
0
 
LVL 3

Expert Comment

by:evangineerX
ID: 16509258
I suspect that the line:

pasv_min_port=2199

should actually be:

pasv_max_port=2199
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 1

Author Comment

by:Cyberflunky
ID: 16510278
I fixed the pasv_max_port=2199 setting and I even ran the "modprobe ip_conntrack_ftp" command still no luck :-(
0
 
LVL 3

Expert Comment

by:evangineerX
ID: 16510454
I don't see the point of running "modprobe ip_conntrack_ftp".  As I understand it, the firewall is running on the linksys not the linux server.  AFAIK, the ip_conntrack_ftp module is for when you are running an iptables-based firewall on the server and want to do stateful inspection on ftp traffic passing through it.

Presumably, iptables isn't running on the server.  IOW, there isn't a firewall on the server itself.
0
 
LVL 1

Author Comment

by:Cyberflunky
ID: 16510522
I agree about the firewall, iptables is not running - but I’m out of ideas so I figured it would not hurt.
0
 
LVL 3

Expert Comment

by:evangineerX
ID: 16510895
Which linksys router are you using?  Are you using the default firmware or a third-party open source one?
0
 
LVL 3

Expert Comment

by:evangineerX
ID: 16510984
To follow up on my previous missive, it should be possible on the linksys to drop all firewall protection for the server in question (ie put it in a DMZ).  This will enable you to test whether the issue is with the linksys firewall or not.

If the issue is with the linksys firewall, you can either troubleshoot further and try to refine the linksys firewall settings or alternatively run an iptables-based firewall on the server itself.
0
 
LVL 1

Author Comment

by:Cyberflunky
ID: 16511171
There are no firewalls on my side the linksys just dose  NAT and port forwarding, since its a residential connection the cable company blocks a bunch of ports 80, 21 ,20 etc. That’s why I need this to work on a different port. I have done this for several different services,  FTP is the first to be a problem since its such an archaic  protocol with so many variation active, passive, normal, etc.
0
 
LVL 3

Expert Comment

by:evangineerX
ID: 16511317
Hmm, I can see how that would be a pain.  FTP can be a bit of a nightmare, especially if there are firewalls involved that you have no control over.

Perhaps you should tunnel over SSH or better still just use SFTP.
0
 
LVL 1

Author Comment

by:Cyberflunky
ID: 16512337
happy day I fixed it

two problems
1. my gateway was set wrong on the server
2. I needed to add the line pasv_address=xx.xx.216.22 to work with NAT

so the final config looks like this

# /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
listen_port=2121
pasv_enable=yes
pasv_min_port=2122
pasv_max_port=2199
pasv_address=69.169.216.22
xferlog_std_format=YES
pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES


0
 
LVL 3

Accepted Solution

by:
evangineerX earned 750 total points
ID: 16512559
Hmm, that reminds me.  I need to change the pasv_address line on a server that I've just put into the datacentre.

How did you wind up with the wrong gateway on the server?

Glad you fixed it.
0
 
LVL 1

Author Comment

by:Cyberflunky
ID: 16515082
This is just one of several Vmware servers I have running RHE4, I use them for testing software before I install it on customers live systems.  The configuration file were all set for networking but the system had never been rebooted and I never ran "rout add default bla bla"  I got all wrapped up in the hundreds of setting for vsftpd and forgot to look for the simple stuff.
0
 
LVL 3

Expert Comment

by:evangineerX
ID: 16517030
Cool.  I've had similar issues recently with deploying stuff into production, I think some sort of automation is required here.

I've been doing similar things to you with vmware servers running Centos4.  My main interest is being able to run various services in their own VMs rather than using dedicated machines, but I digress.  Best of luck and thanks for accepting my answer.
0

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Integration Management Part 2
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question