What is the correct way to get vsftpd behind NAT?

D

depressionofoleg2021-05-24 09:14:12

System administration

depressionofoleg, 2021-05-24 09:14:12

vsftpd config:

listen=YES
anonymous_enable=NO
local_enable=YES
xferlog_enable=YES
user_sub_token=$USER
local_root=/var/www/
chroot_local_user=YES
hide_ids=YES
guest_enable=YES
guest_username=www-data
virtual_use_local_privs=YES
write_enable=YES
pasv_enable=YES
#здесь актуальный адрес за NAT, статика внешний IP
pasv_address=1.2.3.4
pasv_max_port=20200
pasv_min_port=20400
pam_service_name=vsftpd.virtual
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
idle_session_timeout=600
data_connection_timeout=120
ascii_upload_enable=YES
ascii_download_enable=YES
allow_writeable_chroot=YES
seccomp_sandbox=NO
local_umask=022

I forwarded the ports on the router (20, 21, port range 20200-20400), it connects to the LAN without any problems. Users are created virtual. When trying to connect to an external address, the total issues 500 Illegal PORT Command. Other ftp clients give errors too. What could be the problem?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

N

none7, 2021-05-24
@none7

Wangyu: due to the fact that you have pasv_min_port > pasv_max_port, it selects any ports except 20200-20400.