Page 1 of 1

Have vsftpd running, but only to localhost - need help for settings to get remote access

Posted: 2008/11/27 23:06:41
by bbarnett
The problem:
- I can successfully connect an ftp session by typing "ftp localhost" in an SSH window to the server.
- When I type "ftp 192.168.0.11", I get the response: "ftp: connect: Connection refused"
- I need to get ftp running in order to install Joomla

The setup:
- I have a CentOS 4.4 machine with vsftpd-2.0.1-6.el4 and vsftpd-2.0.1-6.el4 installed.
- The machine is remote, so I have no GUI access.
- A ps -ef shows that both xinetd and vsftpd are indeed running.
- I have tried active and passive setups, to no avail. You'll see the extra ports in iptables I was trying.
- Even though it is late, I did remember to restart vsftpd after making changes...and xinetd for the hell of it. Both came back. Nothing changed.

This leads me to believe that vsftpd is working ok, but there is some firewall issue.
Here is some good machine info:

[root@Charlotte vsftpd]# cat vsftpd.conf | grep -v \#
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
xferlog_std_format=YES
ftpd_banner=Welcome to McBarnett FTP service.
pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES

[root@Charlotte vsftpd]# /sbin/service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_IN:'
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_OUT:'
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_IN:'
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_OUT:'

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:40000:40100
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:137:138 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1030 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:9080 state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:9000:9010 state NEW
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Table: mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Table: nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

[root@Charlotte sysconfig]# cat iptables-config | grep -v \#
IPTABLES_MODULES="ip_conntrack_ftp"
IPTABLES_MODULES_UNLOAD="yes"
IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no"
IPTABLES_SAVE_COUNTER="no"
IPTABLES_STATUS_NUMERIC="yes"


I have pored over Wikis, forums, and here - and found many close things - but nothing that fixed me. I will toast the Sun with a beer of your choice if you can help me. Up here in Stockholm at this time of year, that's a rare sight!

Have vsftpd running, but only to localhost - need help for s

Posted: 2008/11/28 08:32:18
by arrfab
No other firewall between your machine and the server ?
What's the result of `iptables -L -n -v --line-numbers` ?

Re: Have vsftpd running, but only to localhost - need help for settings to get remote access

Posted: 2008/11/28 15:02:54
by bbarnett
That results would be:

[root@Charlotte vsftpd]# /sbin/iptables -L -n -v --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 192K 196M LOG all -- eth0 * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_IN:'
2 193K 196M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- * eth0 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_OUT:'
2 0 0 LOG all -- eth0 * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_IN:'
3 0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 121K packets, 20M bytes)
num pkts bytes target prot opt in out source destination
1 119K 20M LOG all -- * eth0 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `BANDWIDTH_OUT:'

Chain RH-Firewall-1-INPUT (2 references)
num pkts bytes target prot opt in out source destination
1 1288 103K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 77 6974 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
3 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
6 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631
7 172K 190M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
8 1940 102K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
9 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
10 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
11 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20
12 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:40000:40100
13 1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
14 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
15 17 884 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10000
16 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 state NEW
17 9 436 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 state NEW
18 1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 state NEW
19 4234 707K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:138 state NEW
20 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1030 state NEW
21 10451 3816K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 state NEW
22 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:9080 state NEW
23 2 96 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:9000:9010 state NEW
24 3360 1633K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Also: while investigating xinetd a bit more, I tried changing vsftpd to run in standalone (changed listen=YES to listen=NO in /etc/vsftpd/vsftpd.conf and restarted vsftpd). As expected, it wouldn't start back up, instead waiting for xinetd to start it up. I also added this in the /etc/xinetd.conf file:

service ftp
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/vsftpd
nice = 10
}

...and restarted xinetd (it restarted successfully). Again: no joy.

Alternately, I was going to try to shut xinetd down and go back to standalone. Got any ideas?

Re: Have vsftpd running, but only to localhost - need help for settings to get remote access

Posted: 2008/11/28 15:10:05
by bbarnett
Oh yeah...the other question: There are no other firewalls that I know of running on this server. For now, I am just trying to get ftp working from the same box, so external network equipment isn't part of the equation yet. That'll be next, though I think I've already setup the firewalls here and at the site where the server is - dunno what the ISPs have done to me.

The machine's IP is 192.168.0.11, so if I am on a shell on that machine and I can get an "ftp 192.168.0.11" to work, then I presume that I am good to go to with the whole firewall, vsftpd, xinetd issue. Than, I'll try that same thing from another machine inside that network. If it works, then I'll get into trying the true remote scenario across the two firewalls.

Re: Have vsftpd running, but only to localhost - need help for settings to get remote access

Posted: 2008/11/29 07:56:18
by bbarnett
Uh...er...I suppose if I used the right IP address, all would have been better....everything works....and I learned a bit too.....