vsftpd Restricted Networks and NAT

I'm trying to get a standalone FTP server running behind a residential cable modem - ports 20 - 21 are blocked, I can successfully login to this server on my local network on port 2121 "open 192.168.1.7 2121" but I have not been able to get access from the outside world. I have port forwarding enabled in my linksys router and I am forwarding ports 2121 to 2199. If it matters this is a Redhat enterprise installation.


anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
listen_port=2121
pasv_enable=yes
pasv_min_port=2122
pasv_min_port=2199
xferlog_std_format=YES
pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES
LVL 1
CyberflunkyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

guruyayaCommented:
Lets start with that comment I should have written to another guy:
write in your terminal (Then add to the rc.local if it helps)

modprobe ip_conntrack_ftp

It should add a module that opens new connections in your ftp, and allows it to work with a firewall.
Have a nice day
Yair
pablouruguayCommented:
in the linksys you make a 2121 to 2199 ???   if that correct your ftp server need to listen in 2199
evangineerXCommented:
I suspect that the line:

pasv_min_port=2199

should actually be:

pasv_max_port=2199
Amazon Web Services

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

CyberflunkyAuthor Commented:
I fixed the pasv_max_port=2199 setting and I even ran the "modprobe ip_conntrack_ftp" command still no luck :-(
evangineerXCommented:
I don't see the point of running "modprobe ip_conntrack_ftp".  As I understand it, the firewall is running on the linksys not the linux server.  AFAIK, the ip_conntrack_ftp module is for when you are running an iptables-based firewall on the server and want to do stateful inspection on ftp traffic passing through it.

Presumably, iptables isn't running on the server.  IOW, there isn't a firewall on the server itself.
CyberflunkyAuthor Commented:
I agree about the firewall, iptables is not running - but I’m out of ideas so I figured it would not hurt.
evangineerXCommented:
Which linksys router are you using?  Are you using the default firmware or a third-party open source one?
evangineerXCommented:
To follow up on my previous missive, it should be possible on the linksys to drop all firewall protection for the server in question (ie put it in a DMZ).  This will enable you to test whether the issue is with the linksys firewall or not.

If the issue is with the linksys firewall, you can either troubleshoot further and try to refine the linksys firewall settings or alternatively run an iptables-based firewall on the server itself.
CyberflunkyAuthor Commented:
There are no firewalls on my side the linksys just dose  NAT and port forwarding, since its a residential connection the cable company blocks a bunch of ports 80, 21 ,20 etc. That’s why I need this to work on a different port. I have done this for several different services,  FTP is the first to be a problem since its such an archaic  protocol with so many variation active, passive, normal, etc.
evangineerXCommented:
Hmm, I can see how that would be a pain.  FTP can be a bit of a nightmare, especially if there are firewalls involved that you have no control over.

Perhaps you should tunnel over SSH or better still just use SFTP.
CyberflunkyAuthor Commented:
happy day I fixed it

two problems
1. my gateway was set wrong on the server
2. I needed to add the line pasv_address=xx.xx.216.22 to work with NAT

so the final config looks like this

# /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
listen_port=2121
pasv_enable=yes
pasv_min_port=2122
pasv_max_port=2199
pasv_address=69.169.216.22
xferlog_std_format=YES
pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES


evangineerXCommented:
Hmm, that reminds me.  I need to change the pasv_address line on a server that I've just put into the datacentre.

How did you wind up with the wrong gateway on the server?

Glad you fixed it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CyberflunkyAuthor Commented:
This is just one of several Vmware servers I have running RHE4, I use them for testing software before I install it on customers live systems.  The configuration file were all set for networking but the system had never been rebooted and I never ran "rout add default bla bla"  I got all wrapped up in the hundreds of setting for vsftpd and forgot to look for the simple stuff.
evangineerXCommented:
Cool.  I've had similar issues recently with deploying stuff into production, I think some sort of automation is required here.

I've been doing similar things to you with vmware servers running Centos4.  My main interest is being able to run various services in their own VMs rather than using dedicated machines, but I digress.  Best of luck and thanks for accepting my answer.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.