LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Can't connect to vsFTPd sometimes (timeout), otherwise fantastic (Gentoo) (https://www.linuxquestions.org/questions/linux-server-73/cant-connect-to-vsftpd-sometimes-timeout-otherwise-fantastic-gentoo-4175447463/)

cr-atlanta 01-27-2013 06:59 PM
Can't connect to vsFTPd sometimes (timeout), otherwise fantastic (Gentoo)
 
Hi everybody,

I am running a Gentoo virtual machine with Parallels on OSX - my vsFTPd server is running perfectly - except that sometimes I can't connect when I try to connect with a canonical name, maybe 1 out of 3 times - enough to be worrisome. When I connect using the IP address - everything is wonderful, 100% of the time. I have the Gentoo VM on a static IP (10.0.1.201) through my Airport Extreme wireless base station - it's all port-forwarded and works well with all other services. I try to connect (via the canonical name) - no dice - then I do the EXACT SAME THING 2 seconds later - and it works just fine - without making any changes whatsoever. My OSX machine has the IP address of 10.0.1.12, the only thing I can figure think of is that because the VM and my OSX machine are effectively using the same NIC that packets are colliding or something.

Does anybody have any ideas? I've tried lots of stuff, and just can't figure it out.

I thank you all in advance for any assistance that you might be able to offer!

Here's some code to show the problem:

Code:
Le-Ordinateur-de-Charles:~ charles$ ftp charles@phobos.charlesread.com
Connected to phobos.charlesread.com.
421 Service not available, remote server timed out. Connection closed.
ftp> quit

Le-Ordinateur-de-Charles:~ charles$ ftp charles@phobos.charlesread.com
Connected to phobos.charlesread.com.
421 Service not available, remote server timed out. Connection closed.
ftp> quit

Le-Ordinateur-de-Charles:~ charles$ ftp charles@phobos.charlesread.com
Connected to phobos.charlesread.com.
220 (vsFTPd 3.0.2)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.

Le-Ordinateur-de-Charles:~ charles$ ftp charles@10.0.1.201
Connected to 10.0.1.201.
220 (vsFTPd 3.0.2)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.

Le-Ordinateur-de-Charles:~ charles$ ftp charles@10.0.1.201
Connected to 10.0.1.201.
220 (vsFTPd 3.0.2)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.

Le-Ordinateur-de-Charles:~ charles$ ftp charles@10.0.1.201
Connected to 10.0.1.201.
220 (vsFTPd 3.0.2)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.
Here's /var/log/vsftpd.log covering the above connections:

Code:
Sun Jan 27 09:40:01 2013 [pid 2] CONNECT: Client "10.0.1.1"
Sun Jan 27 09:40:07 2013 [pid 1] [charles] OK LOGIN: Client "10.0.1.1"
Sun Jan 27 09:42:48 2013 [pid 2] CONNECT: Client "10.0.1.12"
Sun Jan 27 09:42:51 2013 [pid 1] [charles] OK LOGIN: Client "10.0.1.12"
Sun Jan 27 09:42:55 2013 [pid 2] CONNECT: Client "10.0.1.12"
Sun Jan 27 09:42:58 2013 [pid 1] [charles] OK LOGIN: Client "10.0.1.12"
Sun Jan 27 09:43:01 2013 [pid 2] CONNECT: Client "10.0.1.12"
Sun Jan 27 09:43:04 2013 [pid 1] [charles] OK LOGIN: Client "10.0.1.12"
(Clearly when I am connecting with the canonical name the Gentoo VM I am connecting from my router (10.0.1.1) indicating that I am actually connecting from the outside world.)


Here's /etc/vsftpd/vsftpd.conf:

Code:
#GENERAL
#------
listen=YES
dirmessage_enable=YES
# banner_file=/etc/vsftpd/vsftpd.banner # edit banner first
chown_uploads=YES
xferlog_enable=YES
idle_session_timeout=600
data_connection_timeout=120
ascii_upload_enable=YES
ascii_download_enable=YES
ls_recurse_enable=NO
pam_service_name=ftp
file_open_mode=0666
local_umask=0002
pasv_min_port=60000
pasv_max_port=61000

#LOCAL
#----
local_enable=YES
write_enable=YES

#the next 3 settings make it such that only users listed in user_list have access

userlist_file=/etc/vsftpd/user_list
userlist_enable=YES
userlist_deny=NO

#ANON
#----
anonymous_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO

#CHROOT
#------

#only users in vsftpd.chroot will NOT be chrooted, all others will

allow_writeable_chroot=YES
chroot_list_enable=YES
virtual_use_local_privs=YES
chroot_local_user=YES
chroot_list_file=/etc/vsftpd/vsftpd.chroot

#VIRTUAL
#------
guest_enable=YES
guest_username=virtual
user_config_dir=/etc/vsftpd/user_conf
anon_upload_enable=YES
Here's my (basic, I know) IPTABLES config (just for completeness):

Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       
  112  7520 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0         
83413  24M ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  147  8956 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    4  256 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0            tcp dpt:25
  22  1364 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    8  492 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0            tcp dpt:1234
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0            tcp dpt:20
  980 62720 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0            tcp dpts:60000:61000
  209 13112 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0            tcp dpt:21
  103  5104 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0            tcp dpt:3306
 9242  640K LOG        all  --  *      *      0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 7 prefix "IPTABLES DROP: "
11658  809K DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       

Chain OUTPUT (policy ACCEPT 19497 packets, 2258K bytes)
 pkts bytes target    prot opt in    out    source              destination

unSpawn 02-02-2013 07:22 AM
Quote:
Originally Posted by cr-atlanta (Post 4878686)
(..) sometimes I can't connect when I try to connect with a canonical name, maybe 1 out of 3 times (..)
Code:
Connected to phobos.charlesread.com.
421 Service not available, remote server timed out. Connection closed.
To start with MAC and IP address pairs are registered once the client gets its DHCP lease and any LAN client will cache those (see 'arp -a'). But charlesread.com is a valid domain name and phobos.charlesread.com a valid host name meaning, unless you prohibit it, the search path (both client and server side) will be: local resolver -> (c,h,b,f,j,i,e,g,l,k,m,a,d).gtld-servers.net (root servers) -> (ns84,ns83).worldnic.com. (authoritative name server). There's several ways to intercept and redirect queries for that specific domain to reach the 'net like putting the guests MAC and IP address pair in /etc/ethers and the IP FQDN pair in /etc/hosts or using a local DNS server like Pdnsd, Dnsmasq, MaraDNS, PowerDNS, ISC BIND, etc, etc but it would be better IMHO, if you own charlesread.com, to distinguish and use say "hostname.charlesread.com.localdomain"-like names inside your LAN to start with.

BTW:
Quote:
Originally Posted by cr-atlanta (Post 4878686)
Code:
  103  5104 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0            tcp dpt:3306
I do hope your router forwards only the necessary ports as you generally speaking don't want MySQL to be accessible over the 'net. (If you don't forward ports now but intend to later on you can limit access already by adding one rule: 'iptables -t filter -I INPUT 3 -m state --state NEW ! -s 10.0.1.0/24 -j REJECT' which would guard against the router becoming a SPOF.) Also note your 8 TCP rules don't use "-m state --state NEW" like they should (why else use conntrack?), you don't filter "-m state --state INVALID" and finally you could replace your 8 TCP rules with one rule if you use "multiport": "-m state --state NEW -m multiport --dports 20:22,25,80,1234,3306,60000:61000" ;-p


All times are GMT -5. The time now is 10:06 AM.