Can't connect to vsFTPd sometimes (timeout), otherwise fantastic (Gentoo)
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Can't connect to vsFTPd sometimes (timeout), otherwise fantastic (Gentoo)
Hi everybody,
I am running a Gentoo virtual machine with Parallels on OSX - my vsFTPd server is running perfectly - except that sometimes I can't connect when I try to connect with a canonical name, maybe 1 out of 3 times - enough to be worrisome. When I connect using the IP address - everything is wonderful, 100% of the time. I have the Gentoo VM on a static IP (10.0.1.201) through my Airport Extreme wireless base station - it's all port-forwarded and works well with all other services. I try to connect (via the canonical name) - no dice - then I do the EXACT SAME THING 2 seconds later - and it works just fine - without making any changes whatsoever. My OSX machine has the IP address of 10.0.1.12, the only thing I can figure think of is that because the VM and my OSX machine are effectively using the same NIC that packets are colliding or something.
Does anybody have any ideas? I've tried lots of stuff, and just can't figure it out.
I thank you all in advance for any assistance that you might be able to offer!
Here's some code to show the problem:
Code:
Le-Ordinateur-de-Charles:~ charles$ ftp charles@phobos.charlesread.com
Connected to phobos.charlesread.com.
421 Service not available, remote server timed out. Connection closed.
ftp> quit
Le-Ordinateur-de-Charles:~ charles$ ftp charles@phobos.charlesread.com
Connected to phobos.charlesread.com.
421 Service not available, remote server timed out. Connection closed.
ftp> quit
Le-Ordinateur-de-Charles:~ charles$ ftp charles@phobos.charlesread.com
Connected to phobos.charlesread.com.
220 (vsFTPd 3.0.2)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.
Le-Ordinateur-de-Charles:~ charles$ ftp charles@10.0.1.201
Connected to 10.0.1.201.
220 (vsFTPd 3.0.2)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.
Le-Ordinateur-de-Charles:~ charles$ ftp charles@10.0.1.201
Connected to 10.0.1.201.
220 (vsFTPd 3.0.2)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.
Le-Ordinateur-de-Charles:~ charles$ ftp charles@10.0.1.201
Connected to 10.0.1.201.
220 (vsFTPd 3.0.2)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.
Here's /var/log/vsftpd.log covering the above connections:
Code:
Sun Jan 27 09:40:01 2013 [pid 2] CONNECT: Client "10.0.1.1"
Sun Jan 27 09:40:07 2013 [pid 1] [charles] OK LOGIN: Client "10.0.1.1"
Sun Jan 27 09:42:48 2013 [pid 2] CONNECT: Client "10.0.1.12"
Sun Jan 27 09:42:51 2013 [pid 1] [charles] OK LOGIN: Client "10.0.1.12"
Sun Jan 27 09:42:55 2013 [pid 2] CONNECT: Client "10.0.1.12"
Sun Jan 27 09:42:58 2013 [pid 1] [charles] OK LOGIN: Client "10.0.1.12"
Sun Jan 27 09:43:01 2013 [pid 2] CONNECT: Client "10.0.1.12"
Sun Jan 27 09:43:04 2013 [pid 1] [charles] OK LOGIN: Client "10.0.1.12"
(Clearly when I am connecting with the canonical name the Gentoo VM I am connecting from my router (10.0.1.1) indicating that I am actually connecting from the outside world.)
Here's /etc/vsftpd/vsftpd.conf:
Code:
#GENERAL
#------
listen=YES
dirmessage_enable=YES
# banner_file=/etc/vsftpd/vsftpd.banner # edit banner first
chown_uploads=YES
xferlog_enable=YES
idle_session_timeout=600
data_connection_timeout=120
ascii_upload_enable=YES
ascii_download_enable=YES
ls_recurse_enable=NO
pam_service_name=ftp
file_open_mode=0666
local_umask=0002
pasv_min_port=60000
pasv_max_port=61000
#LOCAL
#----
local_enable=YES
write_enable=YES
#the next 3 settings make it such that only users listed in user_list have access
userlist_file=/etc/vsftpd/user_list
userlist_enable=YES
userlist_deny=NO
#ANON
#----
anonymous_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
#CHROOT
#------
#only users in vsftpd.chroot will NOT be chrooted, all others will
allow_writeable_chroot=YES
chroot_list_enable=YES
virtual_use_local_privs=YES
chroot_local_user=YES
chroot_list_file=/etc/vsftpd/vsftpd.chroot
#VIRTUAL
#------
guest_enable=YES
guest_username=virtual
user_config_dir=/etc/vsftpd/user_conf
anon_upload_enable=YES
Here's my (basic, I know) IPTABLES config (just for completeness):
(..) sometimes I can't connect when I try to connect with a canonical name, maybe 1 out of 3 times (..)
Code:
Connected to phobos.charlesread.com.
421 Service not available, remote server timed out. Connection closed.
To start with MAC and IP address pairs are registered once the client gets its DHCP lease and any LAN client will cache those (see 'arp -a'). But charlesread.com is a valid domain name and phobos.charlesread.com a valid host name meaning, unless you prohibit it, the search path (both client and server side) will be: local resolver -> (c,h,b,f,j,i,e,g,l,k,m,a,d).gtld-servers.net (root servers) -> (ns84,ns83).worldnic.com. (authoritative name server). There's several ways to intercept and redirect queries for that specific domain to reach the 'net like putting the guests MAC and IP address pair in /etc/ethers and the IP FQDN pair in /etc/hosts or using a local DNS server like Pdnsd, Dnsmasq, MaraDNS, PowerDNS, ISC BIND, etc, etc but it would be better IMHO, if you own charlesread.com, to distinguish and use say "hostname.charlesread.com.localdomain"-like names inside your LAN to start with.
I do hope your router forwards only the necessary ports as you generally speaking don't want MySQL to be accessible over the 'net. (If you don't forward ports now but intend to later on you can limit access already by adding one rule: 'iptables -t filter -I INPUT 3 -m state --state NEW ! -s 10.0.1.0/24 -j REJECT' which would guard against the router becoming a SPOF.) Also note your 8 TCP rules don't use "-m state --state NEW" like they should (why else use conntrack?), you don't filter "-m state --state INVALID" and finally you could replace your 8 TCP rules with one rule if you use "multiport": "-m state --state NEW -m multiport --dports 20:22,25,80,1234,3306,60000:61000" ;-p
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
