i know this has been asked many times before, but nothing seems to resolve my issue.
i have vsftpd running on ubuntu 10.04. i can connect with ftp localhost on the machine. i can connect from another machine in my network. i just cannot connect from outside. the machine is behind an airport extreme managed by airport utility on a mac.
21 is open as per nmap:
macmini:~$ nmap localhost
Starting Nmap 5.21 ( http://nmap.org ) at 2011-04-10 23:49 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00045s latency).
Hostname localhost resolves to 2 IPs. Only scanned 127.0.0.1
rDNS record for 127.0.0.1: localhost.localdomain
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
631/tcp open ipp
netstat says 21 is listening:
macmini:~$ netstat -lep --tcp | grep ftp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 *:ftp *:* LISTEN
iptables:
macmini:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
when i try to connect from my external IP (or a dyndns name which resolves there) it times out. ("control connection timed out")
as i know very little about networking, i feel like something may jump out as clearly wrong?
Best Answer
To actually answer your question: how is your firewall configured? It sounds like it's blocking incoming connections. Most have a default deny on port 21. Actually, most have a default deny on all incoming connections on the external interface. Is your firewall doing NAT/PAT translations? Are you running FTP in passive mode, or active mode? If you're running in active mode, FTP clients would need to forward connections from your server or the connections will fail. If you are running in passive mode, then you will need to forward that passive port range. Are all your connections taking place on port 21? By default they won't, although some clients (mostly web browsers) will use port 21 for data.
In more general terms: Getting FTP to work correctly through a firewall is a tremendous PITA because FTP predates TCP/IP and the TCP/IP model. FTP needs a different port for each connection to your server from the same IP. You use port 21 for control connections and 20 for data connections generally. And depending on whether you're using Active or Passive FTP will determine if your server will try to initiate those data connections or if the client has to. If you're using passive FTP, you have to forward more than just port 21. By default it's port 20, but most FTP daemons nowadays request a range of ports in the 50,000 range. You'd have to look at the vsftpd config file to see what ports it wants to use. Also, remember that FTP sends passwords in plain text, so it's highly susceptible to man-in-the-middle and replay attacks and the like.
FTPd + firewall = nightmare. IMX, the inevitable answer to the question "Why doesn't my FTP server work across the firewall?" is "Because FTP dates back to 1971."
In general, I'd strongly recommend switching to sftp (OpenSSH is the most common Linux daemon) although that will require awhile to learn the ins and outs of because sftp is a subset of ssh commands. You have to be careful configuring it or you'll give external users shell access to your server. That's bad, obviously, as suddenly all those security alerts that say "a malicious local user could..." apply to you.