| Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
01-27-2013, 06:59 PM
|
#1
|
|
LQ Newbie
Registered: Jan 2013
Location: Atlanta, GA, USA
Distribution: Gentoo, OSX
Posts: 18
Rep: 
|
Can't connect to vsFTPd sometimes (timeout), otherwise fantastic (Gentoo)
Hi everybody,
I am running a Gentoo virtual machine with Parallels on OSX - my vsFTPd server is running perfectly - except that sometimes I can't connect when I try to connect with a canonical name, maybe 1 out of 3 times - enough to be worrisome. When I connect using the IP address - everything is wonderful, 100% of the time. I have the Gentoo VM on a static IP (10.0.1.201) through my Airport Extreme wireless base station - it's all port-forwarded and works well with all other services. I try to connect (via the canonical name) - no dice - then I do the EXACT SAME THING 2 seconds later - and it works just fine - without making any changes whatsoever. My OSX machine has the IP address of 10.0.1.12, the only thing I can figure think of is that because the VM and my OSX machine are effectively using the same NIC that packets are colliding or something.
Does anybody have any ideas? I've tried lots of stuff, and just can't figure it out.
I thank you all in advance for any assistance that you might be able to offer!
Here's some code to show the problem:
Code:
Le-Ordinateur-de-Charles:~ charles$ ftp charles@phobos.charlesread.com
Connected to phobos.charlesread.com.
421 Service not available, remote server timed out. Connection closed.
ftp> quit
Le-Ordinateur-de-Charles:~ charles$ ftp charles@phobos.charlesread.com
Connected to phobos.charlesread.com.
421 Service not available, remote server timed out. Connection closed.
ftp> quit
Le-Ordinateur-de-Charles:~ charles$ ftp charles@phobos.charlesread.com
Connected to phobos.charlesread.com.
220 (vsFTPd 3.0.2)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.
Le-Ordinateur-de-Charles:~ charles$ ftp charles@10.0.1.201
Connected to 10.0.1.201.
220 (vsFTPd 3.0.2)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.
Le-Ordinateur-de-Charles:~ charles$ ftp charles@10.0.1.201
Connected to 10.0.1.201.
220 (vsFTPd 3.0.2)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.
Le-Ordinateur-de-Charles:~ charles$ ftp charles@10.0.1.201
Connected to 10.0.1.201.
220 (vsFTPd 3.0.2)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.
Here's /var/log/vsftpd.log covering the above connections:
Code:
Sun Jan 27 09:40:01 2013 [pid 2] CONNECT: Client "10.0.1.1"
Sun Jan 27 09:40:07 2013 [pid 1] [charles] OK LOGIN: Client "10.0.1.1"
Sun Jan 27 09:42:48 2013 [pid 2] CONNECT: Client "10.0.1.12"
Sun Jan 27 09:42:51 2013 [pid 1] [charles] OK LOGIN: Client "10.0.1.12"
Sun Jan 27 09:42:55 2013 [pid 2] CONNECT: Client "10.0.1.12"
Sun Jan 27 09:42:58 2013 [pid 1] [charles] OK LOGIN: Client "10.0.1.12"
Sun Jan 27 09:43:01 2013 [pid 2] CONNECT: Client "10.0.1.12"
Sun Jan 27 09:43:04 2013 [pid 1] [charles] OK LOGIN: Client "10.0.1.12"
(Clearly when I am connecting with the canonical name the Gentoo VM I am connecting from my router (10.0.1.1) indicating that I am actually connecting from the outside world.)
Here's /etc/vsftpd/vsftpd.conf:
Code:
#GENERAL
#------
listen=YES
dirmessage_enable=YES
# banner_file=/etc/vsftpd/vsftpd.banner # edit banner first
chown_uploads=YES
xferlog_enable=YES
idle_session_timeout=600
data_connection_timeout=120
ascii_upload_enable=YES
ascii_download_enable=YES
ls_recurse_enable=NO
pam_service_name=ftp
file_open_mode=0666
local_umask=0002
pasv_min_port=60000
pasv_max_port=61000
#LOCAL
#----
local_enable=YES
write_enable=YES
#the next 3 settings make it such that only users listed in user_list have access
userlist_file=/etc/vsftpd/user_list
userlist_enable=YES
userlist_deny=NO
#ANON
#----
anonymous_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
#CHROOT
#------
#only users in vsftpd.chroot will NOT be chrooted, all others will
allow_writeable_chroot=YES
chroot_list_enable=YES
virtual_use_local_privs=YES
chroot_local_user=YES
chroot_list_file=/etc/vsftpd/vsftpd.chroot
#VIRTUAL
#------
guest_enable=YES
guest_username=virtual
user_config_dir=/etc/vsftpd/user_conf
anon_upload_enable=YES
Here's my (basic, I know) IPTABLES config (just for completeness):
Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
112 7520 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
83413 24M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
147 8956 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
4 256 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
22 1364 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
8 492 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
980 62720 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:60000:61000
209 13112 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
103 5104 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
9242 640K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix "IPTABLES DROP: "
11658 809K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 19497 packets, 2258K bytes)
pkts bytes target prot opt in out source destination
|
|
|
|
|
02-02-2013, 07:22 AM
|
#2
|
|
Moderator
Registered: May 2001
Posts: 24,785
|
Quote:
Originally Posted by cr-atlanta
(..) sometimes I can't connect when I try to connect with a canonical name, maybe 1 out of 3 times (..)
Code:
Connected to phobos.charlesread.com.
421 Service not available, remote server timed out. Connection closed.
|
To start with MAC and IP address pairs are registered once the client gets its DHCP lease and any LAN client will cache those (see 'arp -a'). But charlesread.com is a valid domain name and phobos.charlesread.com a valid host name meaning, unless you prohibit it, the search path (both client and server side) will be: local resolver -> (c,h,b,f,j,i,e,g,l,k,m,a,d).gtld-servers.net (root servers) -> (ns84,ns83).worldnic.com. (authoritative name server). There's several ways to intercept and redirect queries for that specific domain to reach the 'net like putting the guests MAC and IP address pair in /etc/ethers and the IP FQDN pair in /etc/hosts or using a local DNS server like Pdnsd, Dnsmasq, MaraDNS, PowerDNS, ISC BIND, etc, etc but it would be better IMHO, if you own charlesread.com, to distinguish and use say " hostname.charlesread.com .localdomain"-like names inside your LAN to start with.
BTW:
Quote:
Originally Posted by cr-atlanta
Code:
103 5104 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
|
I do hope your router forwards only the necessary ports as you generally speaking don't want MySQL to be accessible over the 'net. (If you don't forward ports now but intend to later on you can limit access already by adding one rule: 'iptables -t filter -I INPUT 3 -m state --state NEW ! -s 10.0.1.0/24 -j REJECT' which would guard against the router becoming a SPOF.) Also note your 8 TCP rules don't use "-m state --state NEW" like they should (why else use conntrack?), you don't filter "-m state --state INVALID" and finally you could replace your 8 TCP rules with one rule if you use "multiport": "-m state --state NEW -m multiport --dports 20:22,25,80,1234,3306,60000:61000" ;-p |
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 11:57 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
