Join Log in
Score:1
Pagani avatar Server

Impossible to open new port

br flag
Pagani

My port 21 (ftp) is inexplicably blocked.

Important points

  • Disabling ufw change nothing, port keep being blocked
  • The problem is for any new port, not just 21
  • I've tried to uninstall / reinstall ufw and reset iptables

telnet from local

telnet 127.0.0.1 21
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 ProFTPD Server (ProFTPD Default Installation) [::ffff:127.0.0.1]

telnet from remote

telnet: Unable to connect to remote host: Connection timed out

proftpd config (unedited)

# This is a basic ProFTPD configuration file (rename it to 
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName          "ProFTPD Default Installation"
ServerType          standalone
DefaultServer           on

# Port 21 is the standard FTP port.
Port                21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask               022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances            30

# Set the user and group under which the server will run.
User                nobody
Group               nogroup

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~

# Normally, we want files to be overwriteable.
<Directory />
  AllowOverwrite        on
</Directory>

# A basic anonymous configuration, no upload directories.  If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
<Anonymous ~ftp>
  User              ftp
  Group             ftp

  # We want clients to be able to login with "anonymous" as well as "ftp"
  UserAlias         anonymous ftp

  # Limit the maximum number of anonymous logins
  MaxClients            10

  # We want 'welcome.msg' displayed at login, and '.message' displayed
  # in each newly chdired directory.
  DisplayLogin          welcome.msg
  #DisplayFirstChdir        .message

  # Limit WRITE everywhere in the anonymous chroot
  <Limit WRITE>
    DenyAll
  </Limit>
</Anonymous>

lsof

sudo lsof -i :21
COMMAND   PID   USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
proftpd 20611 nobody    0u  IPv6 15922523      0t0  TCP *:ftp (LISTEN)

ufw status

Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
21                         ALLOW       Anywhere
80                         ALLOW       Anywhere
25                         ALLOW       Anywhere
143                        ALLOW       Anywhere
993                        ALLOW       Anywhere
443                        ALLOW       Anywhere
110                        ALLOW       Anywhere
995                        ALLOW       Anywhere

nmap (remotely)

PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
110/tcp open  pop3
143/tcp open  imap
443/tcp open  https
993/tcp open  imaps
995/tcp open  pop3s

Iptables

Chain INPUT (policy DROP 11888 packets, 618090 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
  471121 37446294 f2b-wordpress-admin  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
     118     4839 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194
16520344 3080320177 ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
16520344 3080320177 ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  307430 16096817 ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  268530 14088467 ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  268530 14088467 ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  268530 14088467 ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 ACCEPT     all  --  -d     *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED helper match "ftp"

Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
       0        0 ACCEPT     all  --  *      *       10.8.0.0/24          0.0.0.0/0           
       0        0 ufw-before-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 ufw-before-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 ufw-after-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 ufw-after-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 ufw-reject-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 ufw-track-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
16344512 4396207242 ufw-before-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
16344512 4396207242 ufw-before-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  242395 16206787 ufw-after-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  242395 16206787 ufw-after-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  242395 16206787 ufw-reject-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  242395 16206787 ufw-track-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-logging-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-before-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
    1337   564957 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    2531   126728 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
      24     2100 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
      24     2100 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
     184     6296 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
   11880   617882 ufw-not-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            239.255.255.250      udp dpt:1900
   11867   617206 ufw-user-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
    1337   564957 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    1495  6600805 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
       7      503 ufw-user-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-before-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
       0        0 ufw-user-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-after-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137
       0        0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:138
      11      560 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:139
      30     1544 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
       0        0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
       0        0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
       0        0 ufw-skip-to-policy-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-after-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-reject-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-reject-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-reject-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-track-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-track-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
       7      503 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW

Chain ufw-track-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain f2b-wordpress-admin (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
  470930 37411229 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-logging-deny (2 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-logging-allow (0 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-skip-to-policy-input (7 references)
    pkts      bytes target     prot opt in     out     source               destination         
      41     2104 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-skip-to-policy-output (0 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-skip-to-policy-forward (0 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-not-local (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
   11880   617882 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
       0        0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
       0        0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
       0        0 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-user-input (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
      24     1432 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:22
      25     1300 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:21
      10      464 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:80
       1       52 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:143
      12      712 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:993
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:25
      12      644 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:443
       1       52 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:110
       1       52 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:995

Chain ufw-user-output (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-user-forward (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain ufw-user-logging-input (0 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-user-logging-output (0 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-user-logging-forward (0 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ufw-user-limit (0 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Edit:

tcp dump

tcpdump -ni any port 21

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
23:52:14.486431 IP ip.address.64155 > ip.address.21: Flags [S], seq 207845152, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:52:15.487331 IP ip.address.64155 > ip.address.21: Flags [S], seq 207845152, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:52:17.486879 IP ip.address.64155 > ip.address.21: Flags [S], seq 207845152, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:52:21.486947 IP ip.address.64155 > ip.address.21: Flags [S], seq 207845152, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
23:52:29.488538 IP ip.address.64155 > ip.address.21: Flags [S], seq 207845152, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

[ ... ]

15 packets captured
15 packets received by filter
0 packets dropped by kernel
49
0 + 0
ufw
in flag
Zoredache
Run a packet capture `tcpdump -ni any port 21`. test first with your telnet so you can see what 'good' output looks like, then test with an external system. If you don't see any packets, then you have some external firewall or system blocking things.
0
Reply
in flag
Gerald Schneider
Most probably a firewall outside of your host. Talk to whoever is responsible for your network.
0
Reply
Score:0
avatar Server
ss flag
Jed Daniels

The lsof output shows that you are only listening on IPv6, not IPv4 for port 21.

See http://proftpd.org/docs/howto/IPv6.html for details on reconfiguring it.

0 + 0
Pagani avatar
br flag
Pagani
Thank you for your awnser, I corrected it. The problem remains though. The new output : `COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME proftpd 28950 nobody 0u IPv4 36743210 0t0 TCP *:ftp (LISTEN)`
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.