Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

vsftpd on Stretch "ftp: connect: Connection refused"

New to Debian (Or Linux in general)? Ask your questions here!
Post Reply
Message
Author
asweetrameking
Posts: 17
Joined: 2021-01-08 15:24

vsftpd on Stretch "ftp: connect: Connection refused"

#1 Post by asweetrameking »

Hello,
I set up a vsftpd server using Debian 9 Stretch, and I can connect to it (and log in) using

Code: Select all

ftp localhost 21
or

Code: Select all

telnet localhost 21
, but not by replacing

Code: Select all

localhost
with the external IP address. When I do that on the same machine, I get the error:

Code: Select all

ftp: connect: Connection refused
. Similarly, I cannot connect from a remote machine from a different location.
I thought that this may have something to do with the firewall, but typing

Code: Select all

sudo ufw status
gives:

Code: Select all

Status: active

To                         Action      From
--                         ------      ----
20:21/tcp                  ALLOW       Anywhere                  
30000:31000/tcp            ALLOW       Anywhere                  
20:21/tcp (v6)             ALLOW       Anywhere (v6)             
30000:31000/tcp (v6)       ALLOW       Anywhere (v6)             
.
This seems to be working, but I notice several errors after I re-enable ufw (

Code: Select all

sudo ufw disable
and

Code: Select all

sudo ufw enable
):

Code: Select all

ERROR: problem running ufw-init
modprobe: FATAL: Module nf_conntrack_netbios_ns not found in directory /lib/modules/4.4.241-19420-g5a63ca2874a0
iptables-restore: line 77 failed
iptables-restore: line 33 failed
ip6tables-restore: line 138 failed
ip6tables-restore: line 33 failed

Problem running '/etc/ufw/before.rules'
Problem running '/etc/ufw/user.rules'
Problem running '/etc/ufw/before6.rules'
Problem running '/etc/ufw/user6.rules'
.
Could this be the problem, though

Code: Select all

sudo ufw status
shows that everything is working fine? I don't know if this is relevant (also, it seems the only "iptables" command which is installed is "iptables-xml", and I don't have the "modprobe" command).
Here is the "/etc/vsftpd.conf" file (w/o comments):

Code: Select all

listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
ftpd_banner=Welcome to the silly FTP service.
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpduser_sub_token=$USER
local_root=/home/$USER/ftp
pasv_min_port=30000
pasv_max_port=31000
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO
.
^I replaced the actual username with

Code: Select all

$USER
here.
I have looked through countless threads concerning similar issues (like not being able to access a vsftpd server remotely, though it is accessible locally), and many of the solutions seem to be to restart the server / machine. I tried that as well as reinstalling "vsftpd", but nothing has changed. Also, default settings with "/etc/vsftpd.conf" still yields the same error.
Some links to similar problems:
https://serverfault.com/questions/27959 ... om-outside (I suppose that I would be on step 2. here.)
https://askubuntu.com/questions/890763/ ... ys-refused
https://www.linuxquestions.org/question ... 175584712/ (opening port 22 successfully without SSH or OpenSSH does not appear to alleviate the problem).
I tried to reinstall the "iptables" package for Stretch, but it looks as if its package does not include the "iptables" command (which would probably be helpful)! Thank you for reading.
Have a great day!

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: vsftpd on Stretch "ftp: connect: Connection refused"

#2 Post by p.H »

Is the external IP address and IPv4 or IPv6 address ?
Did you check the listening sockets with "netstat -ntl" or "ss -ntl" ?

asweetrameking
Posts: 17
Joined: 2021-01-08 15:24

Re: vsftpd on Stretch "ftp: connect: Connection refused"

#3 Post by asweetrameking »

The external address is IPv4, and

Code: Select all

netstat -ntl
returns:

Code: Select all

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp6       0      0 :::21                   :::*                    LISTEN
.

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: vsftpd on Stretch "ftp: connect: Connection refused"

#4 Post by p.H »

This is an IPv6 socket. Not sure if that still accepts IPv4 connections in current kernels. Can you connect using 127.0.0.1 ?

asweetrameking
Posts: 17
Joined: 2021-01-08 15:24

Re: vsftpd on Stretch "ftp: connect: Connection refused"

#5 Post by asweetrameking »

Yes; connecting using 127.0.0.1 works just fine.

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: vsftpd on Stretch "ftp: connect: Connection refused"

#6 Post by reinob »

I would first fix the firewall mess you have. You can't just ignore those errors from ufw.
You should install iptables (it is of course availabe for stretch) and check your rules.
The iptables command is stored in /sbin, so you should log in as root (or do "su -" and not just "su").

Then you can check what ufw has done or has not done.

asweetrameking
Posts: 17
Joined: 2021-01-08 15:24

Re: vsftpd on Stretch "ftp: connect: Connection refused"

#7 Post by asweetrameking »

Oh--thanks! I didn't know what the purpose of "/sbin" was--thanks for the tip!

asweetrameking
Posts: 17
Joined: 2021-01-08 15:24

Re: vsftpd on Stretch "ftp: connect: Connection refused"

#8 Post by asweetrameking »

Okay. So, I was able to get these results after typing

Code: Select all

# iptables -L -n
:

Code: Select all

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  0.0.0.0/0            XX.XX.XX.XX          udp dpt:5353
ACCEPT     udp  --  0.0.0.0/0            XX.XX.XX.XX      udp dpt:1900
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8889
ufw-before-logging-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-before-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-logging-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-reject-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-track-input  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x1/0x1 state INVALID
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x1/0x1
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ufw-before-logging-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-before-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-logging-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-reject-forward  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-track-forward  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  XX.XX.XX.XX/XX      0.0.0.0/0           
DROP       all  --  XX.XX.XX.XX/XX      0.0.0.0/0           
DROP       all  --  XX.XX.XX.XX/XX      0.0.0.0/0           
DROP       all  --  XX.XX.XX.XX/XX      0.0.0.0/0           
DROP       all  --  XX.XX.XX.XX/XX      0.0.0.0/0           
DROP       all  --  XX.XX.XX.XX/XX      0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state NEW,RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ufw-before-logging-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-before-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-logging-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-reject-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-track-output  all  --  0.0.0.0/0            0.0.0.0/0
I am unsure whether the Chain sections below this are relevant, so I didn't include them. However, it doesn't look like there are any mentions of ports 21 or 20 anywhere, or the passive ports! Is this connected to the problem with the errors from

Code: Select all

sudo ufw enable
?

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: vsftpd on Stretch "ftp: connect: Connection refused"

#9 Post by p.H »

I refuse to read the output of "iptables -L" any more. Please post the full output of "iptables-save" instead.
asweetrameking wrote:Yes; connecting using 127.0.0.1 works just fine.
So the IPv6 socket accepts IPv4 connections, and it should accept connections to any local IPv4 address.

What did you mean exactly by "external IP address" in your original post ? Is it an address assigned to a network interface of the server, or is it assigned to another machine which is supposed to redirect and forward the FTP connections to the server ?

asweetrameking
Posts: 17
Joined: 2021-01-08 15:24

Re: vsftpd on Stretch "ftp: connect: Connection refused"

#10 Post by asweetrameking »

Here is the full output of "iptables-save":

Code: Select all

# Generated by iptables-save v1.6.0 on Sun Feb 21 14:28:46 2021
*security
:INPUT ACCEPT [1215862:3220561900]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1059078:151833467]
COMMIT
# Completed on Sun Feb 21 14:28:46 2021
# Generated by iptables-save v1.6.0 on Sun Feb 21 14:28:46 2021
*raw
:PREROUTING ACCEPT [1223346:3221599106]
:OUTPUT ACCEPT [1059036:151830319]
-A PREROUTING -p udp -m udp --dport 1900 -j CT --helper ssdp
-A OUTPUT -d 224.0.0.251/32 -p udp -m udp ! --sport 5353 --dport 5353 -j CT --helper mdns
-A OUTPUT -p udp -m udp --dport 1900 -j CT --helper ssdp
COMMIT
# Completed on Sun Feb 21 14:28:46 2021
# Generated by iptables-save v1.6.0 on Sun Feb 21 14:28:46 2021
*nat
:PREROUTING ACCEPT [7922:1059891]
:INPUT ACCEPT [1316:395126]
:OUTPUT ACCEPT [92793:8436633]
:POSTROUTING ACCEPT [92793:8436633]
-A POSTROUTING -m mark --mark 0x1/0x1 -j MASQUERADE
COMMIT
# Completed on Sun Feb 21 14:28:46 2021
# Generated by iptables-save v1.6.0 on Sun Feb 21 14:28:46 2021
*mangle
:PREROUTING ACCEPT [1223338:3221598506]
:INPUT ACCEPT [1223162:3221249738]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1059028:151829719]
:POSTROUTING ACCEPT [1060342:151939640]
:rx_fwd_wlan0 - [0:0]
:rx_input_wlan0 - [0:0]
:tx_fwd_wlan0 - [0:0]
:tx_postrt_wlan0 - [0:0]
-A PREROUTING -i vmtap+ -j MARK --set-xmark 0x1/0x1
-A INPUT -i wlan0 -j rx_input_wlan0
-A FORWARD -o wlan0 -j tx_fwd_wlan0
-A FORWARD -i wlan0 -j rx_fwd_wlan0
-A POSTROUTING -o wlan0 -j CONNMARK --set-xmark 0x3ea0000/0xffff0000
-A POSTROUTING -o wlan0 -m owner --socket-exists -j tx_postrt_wlan0
-A rx_fwd_wlan0
-A rx_input_wlan0
-A tx_fwd_wlan0
-A tx_postrt_wlan0
COMMIT
# Completed on Sun Feb 21 14:28:46 2021
# Generated by iptables-save v1.6.0 on Sun Feb 21 14:28:46 2021
*filter
:INPUT DROP [20:712]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [19:988]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A INPUT -i vmtap+ -p tcp -m tcp --dport 8889 -j ACCEPT
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -m mark --mark 0x1/0x1 -m state --state INVALID -j DROP
-A FORWARD -m mark --mark 0x1/0x1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -s 100.115.92.0/23 -o rmnet+ -j DROP
-A OUTPUT -s 100.115.92.0/23 -o wwan+ -j DROP
-A OUTPUT -s 100.115.92.0/23 -o usb+ -j DROP
-A OUTPUT -s 100.115.92.0/23 -o mlan+ -j DROP
-A OUTPUT -s 100.115.92.0/23 -o wlan+ -j DROP
-A OUTPUT -s 100.115.92.0/23 -o eth+ -j DROP
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -j ufw-user-output
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Sun Feb 21 14:28:46 2021
I have not directly modified iptables yet because I was using ufw.
So, I am unfamiliar with the terminology, but I thought what I was using as the IP address was called the "external address." I suppose I am confused about what to call it, but the address I am attempting to use is the same one as the one I use for internet access, and I am hoping to connect to clients through this same address. I don't know if this is what smaller servers do too, but I thought this made sense. The public IP address (which I am using) is, I think, associated with the router, but I am running the server off of my computer, connected to the internet. Please tell me if this sounds wrong or not. Thank you for reading!

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: vsftpd on Stretch "ftp: connect: Connection refused"

#11 Post by reinob »

Does your server/computer have a public IP?

From your text I'd tend to think that actually only your router is connected to the Internet (has a public/routable IP address), and your computer/server has a local address (10.xx or 192.168.xx, etc.), which means that if a client connects to your public IP it will actually connect to your router.

If the router doesn't offer/allow ftp connections, then they/you get the "Connection refused."

If the above is all true, then you need to configure your router so that it forwards incoming connections on port 21 to your computer.

If I understood it wrong, then I'll check again later :)

asweetrameking
Posts: 17
Joined: 2021-01-08 15:24

Re: vsftpd on Stretch "ftp: connect: Connection refused"

#12 Post by asweetrameking »

So I allowed port 21 forwarding on the router, and regardless of the ftp server's status, it now always says (after typing the ftp command for port 21 with the public/routable IP address) this error:

Code: Select all

421 Service not available, remote server has closed connection
. I wonder if this is now when I have to deal with the iptables. Since ufw is not working well, should I just manually edit the rules (I have never done this)? Thanks for the help!

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: vsftpd on Stretch "ftp: connect: Connection refused"

#13 Post by p.H »

Try this as a test (not persistent) :

Code: Select all

iptables -I INPUT -p tcp --dport 21 -j ACCEPT

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: vsftpd on Stretch "ftp: connect: Connection refused"

#14 Post by reinob »

Best would be if you manage to remove any firewall configuration, so that at least you can know if the problem is related to the firewall.

I have a feeling that your router cannot handle ftp (which is for modern standards a weird protocol, using port 21 for the protocol but port 20 for the session data).

If it doesn't work after having killed all your firewall rules, then it's your router.

In the end, you'll learn not to want to have an ftp listening to the outside world. Use ssh/sftp and stop worrying :)

asweetrameking
Posts: 17
Joined: 2021-01-08 15:24

Re: vsftpd on Stretch "ftp: connect: Connection refused"

#15 Post by asweetrameking »

I did both, starting with the code:

Code: Select all

iptables -I INPUT -p tcp --dport 21 -j ACCEPT
. After doing this, I noticed that iptables-save had a new line:

Code: Select all

-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
. However, I got the same result:

Code: Select all

421 Service not available, remote server has closed connection
.
I also disabled both ufw and iptables temporarily (so that iptables -L was empty). The same error occurred. It must be with the router, then.
In the end, you'll learn not to want to have an ftp listening to the outside world. Use ssh/sftp and stop worrying :)
Thanks for the advice! Though I am now curious as to what it is with the router which is causing this error :?:

asweetrameking
Posts: 17
Joined: 2021-01-08 15:24

Re: vsftpd on Stretch "ftp: connect: Connection refused"

#16 Post by asweetrameking »

I got it to work! Apparently the router didn't recognise my device. I used a different one, and that one works. I can now remotely access the ftp server!

Post Reply