VSFTP running behind a firewall

[asterix404]

Hello, I managed to get vsftp server running. My network is rather complex so I will just talk about the router that I am fairly sure is giving me porblems. I have 3 routers in series, 1 is connected to the inet and 3 is to the server. If I type in the FTP of anything on my network I get forwareded to the linux box and everything is great. It is only loging on from outside... what do I need to do to get this to work? I have tried passive move, active mode... everything I can think of... and it still gives me the same errors, connection refused.

ftp> open Ip_address //this is my IP
ftp: connect: Connection refused

but
ftp> open tux
Connected to tux.workgroup.
220 Welcome to my server
Name (tux:me):

On router 1, I have forwared ports 64000-65000 20 and 21 to this box... and it still doesn't like it... here is my vsftpd.conf file:


background=YES
listen=YES
pasv_enable=YES
pasv_min_port=64000
pasv_max_port=65000
pasv_address=my_Ip


# Allow anonymous FTP?
#anonymous_enable=yes

# Uncomment this to allow local users to log in.
local_enable=YES

# Uncomment this to enable any form of FTP write command.
write_enable=YES

# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=770

# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES

# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES

# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES

# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES

# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever

# Activate logging of uploads/downloads.
xferlog_enable=YES

# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES

# You may override where the log file goes if you like. The default is shown
# below.
xferlog_file=/var/log/vsftpd.log

# You may change the default value for timing out an idle session.
idle_session_timeout=600

# You may change the default value for timing out a data connection.
data_connection_timeout=600

# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
nopriv_user=ftpuser

# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES

# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES

# You may fully customise the login banner string:
ftpd_banner=Welcome to my Server

# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
deny_email_enable=YES
# (default follows)
banned_email_file=/etc/vsftpd/vsftpd.banned_emails

# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/vsftpd.chroot_list

# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
ls_recurse_enable=YES

Thanks a lot...

[seank]

[pharaoh]

I don't have my server behind a router anymore, but I did when I was testing it and it worked fine. Only difference is that I used xinetd to run it instead of standalone. You have some lines in your config that I didn't even need. Hope this helps!

Here's my conf:

[asterix404]

# netstat -pnat | grep :21
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 7778/vsftpd

I dont' know what this means but I am thinking that there are a lot of 0's is probibly a bad thing... how do I run this from xinted? Umm... the log doesn't say anything about anything reacent.

[pharaoh]

I think the zeros are ok, but what's your /etc/hosts file look like anyways?

If you have xinetd installed already, edit the /etc/xinetd.d/vsftp file...here's mine:

[seank]

[seank]

Also, did you check in /var/log/messages? Run

[asterix404]

I don't have that document alas... I coppied the conf file that was posted and now i run that netstat call and it comes up blank, I think since it is recomentded that I run it from xinted that I will try that... any suggestions... oh yea and thanks a lot

[asterix404]

9013/xinetd
tcp 0 0 127.0.0.1:61039 0.0.0.0:* LISTEN

this is a good thing right? but now how do I get it to be the ip address of my comp and will that make it stop giving me the conection refused?

[pharaoh]

Not sure if this matters, but do you maybe need this

[asterix404]

if that isn't checked or anything... is that bad, and should this be a module?

[seank]

No, you don't need that in your kernel.

Binding to the ip 0.0.0.0:21 for local and 0.0.0.0:* for foreign is correct. You should have xinetd listening on port 21, though. Do you?

[asterix404]

I don't think so... it's linsening to port like 61800 or something of that nature... how do I get it to listen to port 21 as well as to apparently just listen?


7234/xinetd
tcp 0 0 192.168.2.150:32819 205.188.1.104:5190 ESTABLISHED

as a note 32819 is not being forwared nor is it in my vsftpd.conf

[seank]

So you've got a /etc/xinetd.d/vsftpd with this in it?

[pharaoh]

Come on restart it!! I wanna know if it's workin!!
_________________
RYZEN 5 3600 Matisse (Zen 2) 6-Core 3.6 GHz Socket AM4 65W
ASRock B550M PRO4
Crucial Ballistix 3200 MHz DDR4 DRAM 16GB
EVGA GeForce GTX 1060 6GB

[asterix404]

alrighty then, here is my /etc/xinted.d/vsftpd

[pharaoh]

in xinetd.conf you HAVE to change the "only from" to something else than localhost, or just comment it out, or do the 0.0.0.0/0 thing again (I think that's the same as just commenting it out though). If you leave it alone than you can only connect from the server itself. Change that and restart again

Also, if you don't want SWAT running (the Samba config webpage tool) go into /etc/xinetd.d/swat and set "disable = yes". It's currently running on port 901 it would seem.

Sean, I know you said you don't need that FTP module, but that one includes the ftp_conntrack_ip and I thought that was necessary for the way vsftpd does passive?
_________________
RYZEN 5 3600 Matisse (Zen 2) 6-Core 3.6 GHz Socket AM4 65W
ASRock B550M PRO4
Crucial Ballistix 3200 MHz DDR4 DRAM 16GB
EVGA GeForce GTX 1060 6GB

[seank]

comment out the ipv6 line.

[asterix404]

indeed it is... my samba server is strickly inhouse and is working very nicely... now to get this pecky other htingy working... the netstat for 21 still isn't changing but I did a an eth0 restart and got xinted to finialy start listening again

[asterix404]

holy crap it worked....root@tux xinetd.d
# netstat -pnat | grep :21
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN

so now that is conected to the ftp thing on port 21... 20 is blank, and I still can not get into the system from hte outside. I do need to have port 20 open for the data transfer right? It is open through and routed through all of my rounters to the gentoo box

[seank]

pharaoh,

If you use the Linux firewall, you may need that module otherwise I am pretty sure you don't (what made you think this? got a link to some docs with it in there?)

The only_from in the xinetd.conf can remain there for a default. You can override it in each daemon config.

[seank]

[asterix404]

I do indeed have a linksys firewall and since I have to update my kernel to the r9 I will comile it in anyway... hmm... would this automaticlly be done in genkernel cuz my first one that I set up did this perfectly.

[seank]

I've never used genkernel, not sure what it even does (generates a kernel config?)

Why do you need to transfer files on port 20?

[pharaoh]