|
how to setup vsftpd to be accessible outside my lan?
Ok, I have vsftpd setup correctly and everything on slack 10.0, and other PC's on my lan can connect to my ftp server with 192.168.2.4 just fine no issues. But obviously this IP won't work outside my lan, how do I assign a address to be accessible on the internet?
|
Presuming you are running a firewall, you need to set up port forwarding.
i.e getting your firewall/router to forward TCP/IP traffic intended for the port the service is running on (21 - FTP in this case) to the relevant machine inside your LAN. This is generally easy, but it depends on your router/firewall. Mine has a gui where ports, VPN's and so on can be activated. Anyway, how do you connect to the internet? I trust you are aware of the security implication of doing this.... |
I connect to the internet through a cable connection using a router.
|
Are you using IPCHAINS, or IPTABLES firewall?
|
Quote:
but to open my ftp server all I have to do is set the inbound port to 21, my private IP address (192.168.2.4) and the private port (21)? Do i make the connection type TCP or UDP? Do I have to place my ftp server in the DMZ? ok I got the inbound port set to 21, type set to tcp and private port set to 21. which is right, and my private IP address set to 192.168.2.4. Do I need to place the ftp server computer in the DMZ? I ask this becasue when I type in my IP address in a ftp client it still won't connect..... the client says "Error: Could not read from socket: Connection reset by peer" ok just tried it with my ftp pc in the dmz and it still won't connect from my internet IP address.:mad: |
It is always recommended to put any publicly accessible servers on the DMZ, but if you secure your ftp server well enough, you don't have to put it on the DMZ. You will need to port forward 21 from your firewall to your ftp server. There are different ways to do this depending on if you're running ipchains or iptables. How did you configure your firewall if you don't know which one you're running?
ken |
This is probably a stupid question, but do I have to have IPCHAINS or IPTABLES for port forwarding to work?
Also which one should I use? Whats the benefit from each one? |
If your running Slackware 10, you have iptables. Ipchains is obsolete and hasn't been used by most distros for a couple of years.
To get this working you need to do two things. First, make sure your router forwards port 21 to the IP address of your FTP server (you only need TCP). The second, and harder, bit is to make sure that the firewall on your FTP server allows inbound traffic on port 21. Have you actually created a firewall? Slackware doesn't have one by default, so if you're not sure what you have in place for a firewall, have a look at the output of iptables -L Now the really tricky bit is if you have clients trying to use PASV mode. For more info on how to properly set up PASV so that it has a restricted number of ports, I would strong suggest you read this tutorial. It covers proftpd in good depth and I believe that is what Slackware 10 uses. <edit> D'OH....I just re-read your first post where you say you are using vsftp. You'll have to check out their documentation about how to limit the PASV ports. By the way, you will also have to have your router forward the ports used in PASV mode to the FTP server along with port 21 and you'll have to allow them on your firewall as well. </edit> |
well heres my output from the command iptables -L:
Quote:
I have the router set to forward port 21 to the FTP servers static IP address. Do you know of any tutorials that would help show me how to setup IPTABLES to allow inbound traffic on port 21? What if I didn't want clients to be able to access the server with PASV mode? And instead I wanted to just tell them to uncheck use PASV mode from their client... how would I do that? Would I just simply leave the ports blocked that PASV mode requires? BTW, thanks for putting up with all my questions. |
sorry for the double post, but also my vsftpd.conf file says
Quote:
|
Quote:
If I remember correctly, FTP works on two ports. Port 21 is used to for the initial communication and then either port 20 (in normal mode) or some random high ports(in pasive mode) are used for data. For vsftp, I believe there is a directive that turns passive mode on and off. If you don't want to use passive mode, try setting that to no. Then you'll probably need to forward port 20 from your router to your FTP server. |
Ok as of right now I get this error when trying to connect by using my internet IP address from an FTP client I get "Connection refused"
This is confusing in my router setup I have under "virtual server" the inbound port set to 21, the connection type set to TCP, and my private port set to 20, and then of course I have the static IP of the server in my LAN set in that same section. And again the FTP server works perfect from inside my LAN..... Maybe I have a setting wrong in vsftpd.conf? Quote:
EDIT: BTW I finally figured out how to disable passive mode check my last line in vsftpd.conf... it looks like it works (at least from inside my LAN) |
just noticed this in the client log file (this is connecting through the LAN):
Quote:
Quote:
|
Just for entertainment, I'd have a read through this explanation of active and passive FTP modes and the advantages and disadvantages of each.
Quote:
Quote:
If it helps, I run a server, and the relavant portions of my vsftpd.conf are this: pasv_enable=YES pasv_min_port=50000 pasv_max_port=51000 pasv_address=xxx.xxx.xxx.xxx (This should be your WAN IP address) Basically I've used the min and max port commands to limit the range that passive mode can use and then I have my router forward that range to my FTP server (along with port 21). Again, I think you're probably tripping up with your router and you need to do some digging on how your router does port forwarding. |
My bad man, I guess I shouldn't have posted this part: PORT 192,168,2,50,131,52 from the server lol I should have done it from a client....
well that explains why those "ports" are the same as my servers static IP address.... thanks for that I will read through your link it is very much apprecriated. I had a feeling it was my router screwing up somehow.....(F*** belkin) its the belkin F5D7230-4 router.... I have unforunately heard rumors that this router doesn't support port forwarding.... I need to do a little research on this. But just to let you know I actually wasn't forwarding port 20 and 21 to my server.... I was just forwarding port 20 under the "private port" because I figured thats refering to my internal LAN and since my vsftpd.conf file said connect from port 20... I didn't think to forward port 21 as well. I've tried both but not at the same time. I will definetely read the routers manual and see if/how it supports port forwarding and as well I will check google.;) If I find out the router doesn't support port forwarding what router do you suggest I buy if I want to be able to forward ports? Again as always, thanks for all replys:) EDIT: Thanks Hangdog42, you've been helpful. |
| All times are GMT -5. The time now is 01:11 AM. |