Vsftpd Configuration Problem

Home » CentOS » Vsftpd Configuration Problem
CentOS 5 Comments

Greetings,

Beginning today, I started to receive the following when ftp’ing to my CentOS 6 machine:
ncftp /home/pyz2 > dir connect failed: No route to host. connect failed: No route to host. connect failed: No route to host. Falling back to PORT instead of PASV mode.

I can make a connection, but I can’t get a directory listing or transfer data/files.

I’m flummoxed.

What I had been doing is adding more directives to my /etc/hosts.deny file, today to include certain categories of ip addresses for the vsftpd service.

I unwound that after I saw the problem starting to occur, and have restarted vsftpd several times.

That hasn’t changed the above issue.

And yes, I’ve googled.

My firewall setting has port 21 open.

I can remotely telnet to hostname 21

and I get a response indicating that the port is open.

Any advice would be appreciated.

Much thanks.

Max Pyziur pyz@brama.com

5 thoughts on - Vsftpd Configuration Problem

  • I assume that you are referring to the following vsftpd configuration file setting:
    # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES

    Btw, When ftping to another user on the same machine, there is no problem in making a connection or in transferring data; it’s connections that our outside the box.

    MP

  • Does port 20 have to be open in the firewall? If so, this would be the first machine where I have explicitly set this.

    Max

  • Ok.

    So, are you saying this last line is key?

    Because on the CentOS 5 setup I see:
    IPTABLES_MODULES=”ip_conntrack_netbios_ns ip_conntrack_ftp”

    While on the CentOS 6 setup I see:
    IPTABLES_MODULES=””

    What is the correct/recommended setting?

    Max Pyziur pyz@brama.com

  • Hi Max,

    It looks like a network issue instead of the software. Falling back to PORT sounds like to ACTIVE mode from PASV mode. In PASV, you will be connecting to a random port told by server with a random port from your side. Do you have a firewall to block such traffic that the system will send out port unreachable ICMP?

    Maybe you can do a tcpdump to see what it is going on. For PASV, you can only use “host and host and tcp and not port 22″ as the filter. It’s not effective but it will collect what you want to locate the issue.

    Best regards,

    ———-

  • You need ip_conntrack_ftp added to your IPTABLES_MODULES in
    /etc/sysconfig/iptables-config. Add that module name, restart iptables, double check your firewall rules
    (allow TCP port 21), and try to FTP into your box.

    You could have switched your FTP client to active FTP rather than passive
    (generally the default). The link to slacksite link below explains active and passive FTP.

LEAVE A COMMENT