vsftpd: Cannot list files, but can change dirs
I am serving an FTP site from my Ubuntu 5.1 computer and am having troubles logging on from outside my network. Actually, logging on is no problem, but listing the files and downloading is the problem (although I can still change directories). Between computers inside the network works perfectly.
Here's a typical scenario using FileZilla under WindowsXP from outside the network: USER blah PASS blah 230 Login successful PWD 257 "/home/blah" PASV 227 Entering Passive Mode (192,168,2,2,42,46) LIST Transfer channel can't be opened. Reason: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Could not retrieve directory listing Another scenario using 'ftp' under Linux from outside the network: [becker@esus ~]$ ftp adambecker.homelinux.com 2102 Connected to adambecker.homelinux.com. 220 You have successfully entered Adam's FTP site. 530 Please login with USER and PASS. Name (adambecker.homelinux.com:becker): 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (192,168,2,2,237,138) ftp: connect: Network is unreachable ftp> cd mydocs ### <-- I can 'cd' fine 250 Directory successfully changed. ftp> ls ### <-- But 'ls' fails 227 Entering Passive Mode (192,168,2,2,74,122) ftp: connect: Network is unreachable ftp> get test.txt local: test.txt remote: test.txt 227 Entering Passive Mode (192,168,2,2,235,86) ftp: connect: Network is unreachable ftp> I am using iptables which blocks all unused ports. Should I be opening one up besides port 2102 (my FTP port)? Is this a network problem or a vsftpd problem? Thanks for any suggestions! --Beebop ###### Here's my /etc/vsftpd.conf ###### listen_port=2102 ftpd_banner=You have successfully entered Adam's FTP site. Upload some pictures. Show me what you look like :) # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). chroot_list_enable=YES chroot_list_file=/etc/vsftpd.chroot_list #make sure the 'auth required pam_shells.so' line is commented out in /etc/pam.d/vsftpd pam_service_name=vsftpd #default userlist_enable is NO, but I don't want to let anyone in EXCEPT those in the list userlist_enable=YES #Used when userlist is enabled. #When userlist_deny is NO, all users are denied except those in userlist_file userlist_deny=NO userlist_file=/etc/vsftpd.user_list #enable for standalone mode listen=YES tcp_wrappers=YES anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES #idle_session_timeout=600 #data_connection_timeout=120 chroot_local_user=YES |
I would think you also need to open port 20, as you have this in your config -
Quote:
Peace, JimBass |
Good point. I missed that one.
I opened up that port, but no changes. Maybe my ISP is blocking it? So, I set CONNECT_FROM_PORT_20=NO in vsftpd.conf which should restrict some options but at least let me upload/download files. But after changing /etc/vsftpd.conf, stopping vsftpd, then starting vsftpd again, nothing changed. |
I found this solution elsewhere on linuxquestions:
>In /etc/sysconfig/iptables-config try setting >IPTABLES_MODULES="ip_nat_ftp ip_conntrack_ftp" >and restart iptables. Same problem as I had and it fixed his problem. He was using RH9 I think. Anyway, does anyone know where to find the equivalent in ubuntu-5.1? I tried to 'locate' iptables, but no config files were found. Just these: /sbin/iptables-restore /sbin/iptables /sbin/iptables-save some /usr/share files, and a bunch of .so files. |
The FTP client in the above transaction is attempting to use passive. FTP communications use two "channels" -- a command channel (from the client to port 21 on the server) and a data channel. It is the latter we are concerned about. In "old fashioned" FTP, the server opened the data connection from its port 20 to some arbitrary high port on the client. This is what the from_port_20 setting governs. This is called "active" FTP. The problem is that most clients these days are behind NAT routers or have firewalls that prohibit the connection from the serrver from getting through.
So what to do? The solution is "passive" FTP. In this case, the client opens the second connection to the server for the data stream. But since port 21 is in use it must use another port. In general servers are set to use a range of ports so they can handle several clients. In vstftpd.conf the pasv_min_port and pasv_max_port settings set the lower and upper bounds of this range. So the ports in this range must be allowed through your firewall and if necessary redirected to the FTP server or else the data channel will never be opened. So, this explains the behavior you see. Changing directories only uses the data channel. However, when you try to do an "ls", the results of the ls are actually sent back as data. In your case the data channel is never set up correctly, so you never see anything back from the ls, instead receiving an error. The solution is to configure a port range for passive FTP and make sure it is allowed through your firewall or use active FTP on the client side (will not work if the client is behind NAT or has a firewall preventing the data connection from the server from being established). |
Still no go. I opened up a port range so that passive mode would work, and specified that range in vsftpd.conf (1073-1079). I don't expect many clients, which is why the range is so small...
If it helps, here are some more details on my configuration: I have a home network, and the modem goes to a router which is the center of a 3 computer network. I use port forwarding to pass traffic to the correct computer (my server). So in the router settings, I have forwarded ports 2102 FTP, 20 FTP, 1073-1079 FTP, and 8002 WEB to my server's local address. I have also opened up iptables so I don't have to think about the firewall at the moment. My vsftpd.conf file listens on port 2102 and successfully connects clients. To allow passive mode, I have set pasv_min_port=1023 and pasv_max_port=1079. connect_from_port_20=YES just in case we want to fool around with active mode. Like I said above, I can successfully login remotely, change directorys, but 'ls' doesn't work and uploading/downloading doesn't work. However, if I log in from inside the 3-computer network everything works perfectly. Thanks for your help, Beebop |
Quote:
Quote:
Quote:
Quote:
I would remove the "connect from 20" configuration setting. Also, make sure that the range of passive ports you configure on the server matches exactly what you're forwarding from the gateway and make sure that iptables is allowing it. |
I just did some more testing. The LIST command works when I do it manually. Why won't ftp programs work?:
I used two terminals. In the first one I typed this: >>[TERMINAL 1] [myuser@esus ~]$ telnet myftp.domain.com 2102 Trying 206.100.120.33... Connected to myftp.domain.com (206.100.120.33). Escape character is '^]'. 220 You have successfully entered Beebop's FTP site. user myusername 331 Please specify the password. pass mypassword 230 Login successful. type I 200 Switching to Binary mode. pasv 227 Entering Passive Mode (192,168,2,2,4,36) list At this point, it waits for the passive connection, so I open the second terminal to receive the data. To know which port to connect to, take the last 2 numbers in the passive mode command above (...,4,36) and do this ((4*256)+36)=1060. So I know to connect to port 1060: >>[TERMINAL 2] [myuser@esus ~]$ ftp myftp.domain.com 1060 Connected to adambecker.homelinux.com. drwxr-xr-x 2 500 500 4096 Dec 11 2005 Desktop ftp> Meanwhile, back in Terminal 1... >>[TERMINAL 1] 150 Here comes the directory listing. 226 Directory send OK. quit 221 Goodbye. Connection closed by foreign host. [myuser@esus ~]$ (By the way, ips and names have been changed to protect the innocent) ;) |
Quote:
|
Cool, it works! I just added this line to my /etc/vsftpd.conf file:
pasv_address=xx.xxx.xxx.xx where xx.xxx.xxx.xx is my visible IP address. I got this address by using the 'w3m 192.168.2.1' command (or 'lynx') to open a non-graphical web browser from my remote computer. 192.168.2.1 is my router (be aware that default is usually 192.168.0.1), so I could navigate through that to find the outside IP. Thanks for everyone's help! Just a note: My IP address sometimes changes once in a while (I can't afford a static IP). So every once in a while I find that the FTP client will not connect and I have to go in a edit the passv_address line in /etc/vsftpd.conf. It's doable, but annoying. |
All times are GMT -5. The time now is 03:47 AM. |