我正在运行 Fedora Core 13,并且已启动并运行 vsftpd(vsftpd-2.2.2-7.fc13.x86_64),我可以登录,但它一直挂起:
$ ftp xxx.local
Connected to xxx.local.
220 (vsFTPd 2.2.2)
Name (xxx.local:xxx): xxx
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
它挂了一会儿,然后返回...
421 Service not available, remote server timed out. Connection closed.
这是我的 vsftpd.conf:
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=NO
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=NO
tcp_wrappers=YES
这是我的IPTABLES:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.0.0/24 -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -m state --state NEW -m tcp -p tcp --dport 5150 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p udp -m udp --dport 137 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p udp -m udp --dport 138 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
我还在 iptables-config 中添加了以下内容:
IPTABLES_MODULES="nf_conntrack_ftp"
有什么想法可以解释为什么它在那时挂起了?
答案1
尝试使用 lftp 作为客户端获取更好的调试输出集并将其粘贴到这里;例如:
$ lftp -u <username> localhost
Password:
lftp user@localhost:~> debug 5
lftp user@localhost:~> ls
---- Connecting to localhost (127.0.0.1) port 21
<--- 220 (vsFTPd 2.2.2)
---> FEAT
<--- 211-Features:
<--- EPRT
<--- EPSV
<--- MDTM
<--- PASV
<--- REST STREAM
<--- SIZE
<--- TVFS
<--- UTF8
<--- 211 End
---> OPTS UTF8 ON
<--- 200 Always in UTF8 mode.
---> USER user
<--- 331 Please specify the password.
---> PASS XXXX
<--- 230 Login successful.
---> PWD
<--- 257 "/home/user"
---> PASV
<--- 227 Entering Passive Mode (127,0,0,1,159,49).
---- Connecting data socket to (127.0.0.1) port 40753
---> LIST
<--- 150 Here comes the directory listing.
<--- 226 Directory send OK.
我们需要进行更好的客户端调试,以找出连接挂起的位置;最有可能是被动端口。我不信任 iptables 模块,而是在 vsftpd.conf 中设置最小和最大端口:
ftp_data_port=20
listen_port=21
pasv_min_port=64123
pasv_max_port=64321
...然后在 iptables 中打开该范围。处理端口时,我更喜欢明确而不是隐晦。