vsftpd on Stretch "ftp: connect: Connection refused"

New to Debian (Or Linux in general)? Ask your questions here!

vsftpd on Stretch "ftp: connect: Connection refused"

Postby asweetrameking » 2021-02-19 15:28

Hello,
I set up a vsftpd server using Debian 9 Stretch, and I can connect to it (and log in) using
Code: Select all
ftp localhost 21
or
Code: Select all
telnet localhost 21
, but not by replacing
Code: Select all
localhost
with the external IP address. When I do that on the same machine, I get the error:
Code: Select all
ftp: connect: Connection refused
. Similarly, I cannot connect from a remote machine from a different location.
I thought that this may have something to do with the firewall, but typing
Code: Select all
sudo ufw status
gives:
Code: Select all
Status: active

To                         Action      From
--                         ------      ----
20:21/tcp                  ALLOW       Anywhere                 
30000:31000/tcp            ALLOW       Anywhere                 
20:21/tcp (v6)             ALLOW       Anywhere (v6)             
30000:31000/tcp (v6)       ALLOW       Anywhere (v6)             
.
This seems to be working, but I notice several errors after I re-enable ufw (
Code: Select all
sudo ufw disable
and
Code: Select all
sudo ufw enable
):
Code: Select all
ERROR: problem running ufw-init
modprobe: FATAL: Module nf_conntrack_netbios_ns not found in directory /lib/modules/4.4.241-19420-g5a63ca2874a0
iptables-restore: line 77 failed
iptables-restore: line 33 failed
ip6tables-restore: line 138 failed
ip6tables-restore: line 33 failed

Problem running '/etc/ufw/before.rules'
Problem running '/etc/ufw/user.rules'
Problem running '/etc/ufw/before6.rules'
Problem running '/etc/ufw/user6.rules'
.
Could this be the problem, though
Code: Select all
sudo ufw status
shows that everything is working fine? I don't know if this is relevant (also, it seems the only "iptables" command which is installed is "iptables-xml", and I don't have the "modprobe" command).
Here is the "/etc/vsftpd.conf" file (w/o comments):
Code: Select all
listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
ftpd_banner=Welcome to the silly FTP service.
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpduser_sub_token=$USER
local_root=/home/$USER/ftp
pasv_min_port=30000
pasv_max_port=31000
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO
.
^I replaced the actual username with
Code: Select all
$USER
here.
I have looked through countless threads concerning similar issues (like not being able to access a vsftpd server remotely, though it is accessible locally), and many of the solutions seem to be to restart the server / machine. I tried that as well as reinstalling "vsftpd", but nothing has changed. Also, default settings with "/etc/vsftpd.conf" still yields the same error.
Some links to similar problems:
https://serverfault.com/questions/27959/unable-to-access-vsftpd-from-outside (I suppose that I would be on step 2. here.)
https://askubuntu.com/questions/890763/connection-to-ftp-always-refused
https://www.linuxquestions.org/questions/linux-server-73/vsftpd-remote-connection-not-working-4175584712/ (opening port 22 successfully without SSH or OpenSSH does not appear to alleviate the problem).
I tried to reinstall the "iptables" package for Stretch, but it looks as if its package does not include the "iptables" command (which would probably be helpful)! Thank you for reading.
Have a great day!
asweetrameking
 
Posts: 17
Joined: 2021-01-08 15:24

Re: vsftpd on Stretch "ftp: connect: Connection refused"

Postby p.H » 2021-02-19 15:46

Is the external IP address and IPv4 or IPv6 address ?
Did you check the listening sockets with "netstat -ntl" or "ss -ntl" ?
p.H
 
Posts: 1740
Joined: 2017-09-17 07:12

Re: vsftpd on Stretch "ftp: connect: Connection refused"

Postby asweetrameking » 2021-02-19 15:54

The external address is IPv4, and
Code: Select all
netstat -ntl
returns:
Code: Select all
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State     
tcp6       0      0 :::21                   :::*                    LISTEN
.
asweetrameking
 
Posts: 17
Joined: 2021-01-08 15:24

Re: vsftpd on Stretch "ftp: connect: Connection refused"

Postby p.H » 2021-02-19 16:05

This is an IPv6 socket. Not sure if that still accepts IPv4 connections in current kernels. Can you connect using 127.0.0.1 ?
p.H
 
Posts: 1740
Joined: 2017-09-17 07:12

Re: vsftpd on Stretch "ftp: connect: Connection refused"

Postby asweetrameking » 2021-02-19 16:08

Yes; connecting using 127.0.0.1 works just fine.
asweetrameking
 
Posts: 17
Joined: 2021-01-08 15:24

Re: vsftpd on Stretch "ftp: connect: Connection refused"

Postby reinob » 2021-02-20 11:01

I would first fix the firewall mess you have. You can't just ignore those errors from ufw.
You should install iptables (it is of course availabe for stretch) and check your rules.
The iptables command is stored in /sbin, so you should log in as root (or do "su -" and not just "su").

Then you can check what ufw has done or has not done.
reinob
 
Posts: 910
Joined: 2014-06-30 11:42

Re: vsftpd on Stretch "ftp: connect: Connection refused"

Postby asweetrameking » 2021-02-20 12:26

Oh--thanks! I didn't know what the purpose of "/sbin" was--thanks for the tip!
asweetrameking
 
Posts: 17
Joined: 2021-01-08 15:24

Re: vsftpd on Stretch "ftp: connect: Connection refused"

Postby asweetrameking » 2021-02-20 16:39

Okay. So, I was able to get these results after typing
Code: Select all
# iptables -L -n
:
Code: Select all
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  0.0.0.0/0            XX.XX.XX.XX          udp dpt:5353
ACCEPT     udp  --  0.0.0.0/0            XX.XX.XX.XX      udp dpt:1900
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8889
ufw-before-logging-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-before-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-logging-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-reject-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-track-input  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x1/0x1 state INVALID
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x1/0x1
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ufw-before-logging-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-before-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-logging-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-reject-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-track-forward  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  XX.XX.XX.XX/XX      0.0.0.0/0           
DROP       all  --  XX.XX.XX.XX/XX      0.0.0.0/0           
DROP       all  --  XX.XX.XX.XX/XX      0.0.0.0/0           
DROP       all  --  XX.XX.XX.XX/XX      0.0.0.0/0           
DROP       all  --  XX.XX.XX.XX/XX      0.0.0.0/0           
DROP       all  --  XX.XX.XX.XX/XX      0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state NEW,RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ufw-before-logging-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-before-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-logging-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-reject-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-track-output  all  --  0.0.0.0/0            0.0.0.0/0

I am unsure whether the Chain sections below this are relevant, so I didn't include them. However, it doesn't look like there are any mentions of ports 21 or 20 anywhere, or the passive ports! Is this connected to the problem with the errors from
Code: Select all
sudo ufw enable
?
asweetrameking
 
Posts: 17
Joined: 2021-01-08 15:24

Re: vsftpd on Stretch "ftp: connect: Connection refused"

Postby p.H » 2021-02-21 09:51

I refuse to read the output of "iptables -L" any more. Please post the full output of "iptables-save" instead.
asweetrameking wrote:Yes; connecting using 127.0.0.1 works just fine.

So the IPv6 socket accepts IPv4 connections, and it should accept connections to any local IPv4 address.

What did you mean exactly by "external IP address" in your original post ? Is it an address assigned to a network interface of the server, or is it assigned to another machine which is supposed to redirect and forward the FTP connections to the server ?
p.H
 
Posts: 1740
Joined: 2017-09-17 07:12

Re: vsftpd on Stretch "ftp: connect: Connection refused"

Postby asweetrameking » 2021-02-21 19:19

Here is the full output of "iptables-save":
Code: Select all
# Generated by iptables-save v1.6.0 on Sun Feb 21 14:28:46 2021
*security
:INPUT ACCEPT [1215862:3220561900]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1059078:151833467]
COMMIT
# Completed on Sun Feb 21 14:28:46 2021
# Generated by iptables-save v1.6.0 on Sun Feb 21 14:28:46 2021
*raw
:PREROUTING ACCEPT [1223346:3221599106]
:OUTPUT ACCEPT [1059036:151830319]
-A PREROUTING -p udp -m udp --dport 1900 -j CT --helper ssdp
-A OUTPUT -d 224.0.0.251/32 -p udp -m udp ! --sport 5353 --dport 5353 -j CT --helper mdns
-A OUTPUT -p udp -m udp --dport 1900 -j CT --helper ssdp
COMMIT
# Completed on Sun Feb 21 14:28:46 2021
# Generated by iptables-save v1.6.0 on Sun Feb 21 14:28:46 2021
*nat
:PREROUTING ACCEPT [7922:1059891]
:INPUT ACCEPT [1316:395126]
:OUTPUT ACCEPT [92793:8436633]
:POSTROUTING ACCEPT [92793:8436633]
-A POSTROUTING -m mark --mark 0x1/0x1 -j MASQUERADE
COMMIT
# Completed on Sun Feb 21 14:28:46 2021
# Generated by iptables-save v1.6.0 on Sun Feb 21 14:28:46 2021
*mangle
:PREROUTING ACCEPT [1223338:3221598506]
:INPUT ACCEPT [1223162:3221249738]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1059028:151829719]
:POSTROUTING ACCEPT [1060342:151939640]
:rx_fwd_wlan0 - [0:0]
:rx_input_wlan0 - [0:0]
:tx_fwd_wlan0 - [0:0]
:tx_postrt_wlan0 - [0:0]
-A PREROUTING -i vmtap+ -j MARK --set-xmark 0x1/0x1
-A INPUT -i wlan0 -j rx_input_wlan0
-A FORWARD -o wlan0 -j tx_fwd_wlan0
-A FORWARD -i wlan0 -j rx_fwd_wlan0
-A POSTROUTING -o wlan0 -j CONNMARK --set-xmark 0x3ea0000/0xffff0000
-A POSTROUTING -o wlan0 -m owner --socket-exists -j tx_postrt_wlan0
-A rx_fwd_wlan0
-A rx_input_wlan0
-A tx_fwd_wlan0
-A tx_postrt_wlan0
COMMIT
# Completed on Sun Feb 21 14:28:46 2021
# Generated by iptables-save v1.6.0 on Sun Feb 21 14:28:46 2021
*filter
:INPUT DROP [20:712]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [19:988]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A INPUT -i vmtap+ -p tcp -m tcp --dport 8889 -j ACCEPT
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -m mark --mark 0x1/0x1 -m state --state INVALID -j DROP
-A FORWARD -m mark --mark 0x1/0x1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -s 100.115.92.0/23 -o rmnet+ -j DROP
-A OUTPUT -s 100.115.92.0/23 -o wwan+ -j DROP
-A OUTPUT -s 100.115.92.0/23 -o usb+ -j DROP
-A OUTPUT -s 100.115.92.0/23 -o mlan+ -j DROP
-A OUTPUT -s 100.115.92.0/23 -o wlan+ -j DROP
-A OUTPUT -s 100.115.92.0/23 -o eth+ -j DROP
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -j ufw-user-output
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Sun Feb 21 14:28:46 2021

I have not directly modified iptables yet because I was using ufw.
So, I am unfamiliar with the terminology, but I thought what I was using as the IP address was called the "external address." I suppose I am confused about what to call it, but the address I am attempting to use is the same one as the one I use for internet access, and I am hoping to connect to clients through this same address. I don't know if this is what smaller servers do too, but I thought this made sense. The public IP address (which I am using) is, I think, associated with the router, but I am running the server off of my computer, connected to the internet. Please tell me if this sounds wrong or not. Thank you for reading!
asweetrameking
 
Posts: 17
Joined: 2021-01-08 15:24

Re: vsftpd on Stretch "ftp: connect: Connection refused"

Postby reinob » 2021-02-22 13:09

Does your server/computer have a public IP?

From your text I'd tend to think that actually only your router is connected to the Internet (has a public/routable IP address), and your computer/server has a local address (10.xx or 192.168.xx, etc.), which means that if a client connects to your public IP it will actually connect to your router.

If the router doesn't offer/allow ftp connections, then they/you get the "Connection refused."

If the above is all true, then you need to configure your router so that it forwards incoming connections on port 21 to your computer.

If I understood it wrong, then I'll check again later :)
reinob
 
Posts: 910
Joined: 2014-06-30 11:42

Re: vsftpd on Stretch "ftp: connect: Connection refused"

Postby asweetrameking » 2021-02-22 23:45

So I allowed port 21 forwarding on the router, and regardless of the ftp server's status, it now always says (after typing the ftp command for port 21 with the public/routable IP address) this error:
Code: Select all
421 Service not available, remote server has closed connection
. I wonder if this is now when I have to deal with the iptables. Since ufw is not working well, should I just manually edit the rules (I have never done this)? Thanks for the help!
asweetrameking
 
Posts: 17
Joined: 2021-01-08 15:24

Re: vsftpd on Stretch "ftp: connect: Connection refused"

Postby p.H » 2021-02-23 08:32

Try this as a test (not persistent) :
Code: Select all
iptables -I INPUT -p tcp --dport 21 -j ACCEPT
p.H
 
Posts: 1740
Joined: 2017-09-17 07:12

Re: vsftpd on Stretch "ftp: connect: Connection refused"

Postby reinob » 2021-02-23 14:42

Best would be if you manage to remove any firewall configuration, so that at least you can know if the problem is related to the firewall.

I have a feeling that your router cannot handle ftp (which is for modern standards a weird protocol, using port 21 for the protocol but port 20 for the session data).

If it doesn't work after having killed all your firewall rules, then it's your router.

In the end, you'll learn not to want to have an ftp listening to the outside world. Use ssh/sftp and stop worrying :)
reinob
 
Posts: 910
Joined: 2014-06-30 11:42

Re: vsftpd on Stretch "ftp: connect: Connection refused"

Postby asweetrameking » 2021-02-23 16:30

I did both, starting with the code:
Code: Select all
iptables -I INPUT -p tcp --dport 21 -j ACCEPT
. After doing this, I noticed that iptables-save had a new line:
Code: Select all
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
. However, I got the same result:
Code: Select all
421 Service not available, remote server has closed connection
.
I also disabled both ufw and iptables temporarily (so that iptables -L was empty). The same error occurred. It must be with the router, then.

In the end, you'll learn not to want to have an ftp listening to the outside world. Use ssh/sftp and stop worrying :)

Thanks for the advice! Though I am now curious as to what it is with the router which is causing this error :?:
asweetrameking
 
Posts: 17
Joined: 2021-01-08 15:24

Next

Return to Beginners Questions

Who is online

Users browsing this forum: No registered users and 15 guests

fashionable