FTP port blocked on Debian (sarge)
I am trying to set up an FTP server on my Debian system, but it appears I port 21 is blocked. I do have an ftp server installed (proftpd).
This is what it says when I try and log in through ftp locally: Connected to localhost.localdomain. 421 Service not available, remote server has closed connection If I change the port to something other than 21, it allows me to connect in. So what could be causing this to be blocked? This is a fresh installation by the way. Thanks! |
A firewall sitting between? check with iptables -L
Otherwise, no real idea. I would install tcpdump and sniff what's on the wire. |
Well iptaples gives me this:
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Which I assume means there is no firewall. And tcpdump shows that there is at least some traffic going on... not really sure what it means though. But at least its not completely blocked. Anything else to try |
Quote:
When you do this, change your IPs if they are public and they appear (probably localhost will show so no problem). Code:
tcpdump -i lo Weird thing, still no clue :) |
Have you tried connecting to port 21 using telnet? Or a port scan with nmap?
|
Yes that would be an idea. I wanted to tell the OP to try with netcat.
Because actually the message "connected" doesn't mean anything if I remember well?! Let's see the tcpdump trace |
Thanks for your replies guys. Here's the netstat dump
Code:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode Telnet-ing into 21 results in nothing, except an error similar to the one above. I'll try the other thing after this |
Here's the results of nmap
Code:
(The 1649 ports scanned but not shown below are in state: closed) |
Quote:
No ident is asked by the server (optionnal) No rDNS request is done (optionnal) No Welcome message is sent (not good) The connection is closed after 5s, probably the time out of ftpserver. Could you try with another ftp server? You say that it works on another port right? Hum.. still no more clue :) Out of idea here but interested. edit: Could be an iptables conntrack helper module, that's the only that I can see that uses specifically the port 21. check if ip_conntrack_ftp is or not in lsmod on the server. |
Yeah I've tried 3 different ftp servers. All the same results. The strange thing is, I was using an older server originally but it had the same setup exactly, and there were no problems.
ip_conntrack_ftp is not in lsmod And yes it does work on other ports. How strange eh? |
Yes indeed :)
Ok next try, launching proftp in debug mode: /etc/init.d/proftpd stop proftpd -n -d 10 &> /tmp/damned.log on the client, connect . I mean try ;) As soon as you get the 421 message, ctrl-c on the proftpd. Maybe more info in /tmp/damned.log ? |
Second thing to try.
Download netcat apt-get install netcat Stop proftp and "mimic" an ftp server with netcat /etc/init.d/proftpd stop This is your new ftp server: nc -l -vv -p 21 In an other shell, try this: nc -vv localhost 21 <type a few things and press enter> you should see the message on the netcat ftp server and also ftp localhost Also what other ports have you tried? <1024? And you did it with the same client ? /usr/bin/ftp localhost 37 for example |
Its working now! A co-worker of mine who is much more versed in Linux than I am tried his hand at it (its a slow day here. lol)
This is what it looks like happened: I had originally set proftpd to start with inetd. For whatever reason it doesn't seem to work that way, so I set it up as a standalone program. But I guess in my lack of linux knowledge, I didn't take it out of inetd so it was trying to start it both ways. We figured it out from checking the syslog file. It was saying: Code:
Feb 22 14:12:24 localhost proftpd[1342]: connect from 192.168.0.75 (192.168.0.75) |
All times are GMT -5. The time now is 02:02 AM. |