No ftp login for ispconfig-webuser

I searched different forums to shed light on my problem - no solution yet, so I have the heart to ask:

I want to connect to a VMware virtual machine via ftp. This does not work:

I use

• a server with SUSE 10 (no FTP-server on the host!)
• VMware - only one VM at the moment
• Network: nat
• virtual machine: ISPConfig-appliance (Debian)

ISPConfig is running.
I have set up one client and one web with just one user for mail/ftp.
Within ISPConfig FTP is set to "on" for the created web.

What I CAN do:
I can access my VM from 'outside' via http and https using the host IP, i.e.
I can access serverconsole, config-panel, "shared-IP-adress"-page and the user's page at ../~webx_user/.

From the shell of ISPConfig I get ftp at localhost running ok.
Login to config-panel as admin: I can use WebFTP.

What I CANNOT do:
if I try to get FTP-access to my VM with an ftp-client (such as WinFTP) from outside, I get "connection refused" - no access possible.

This seems not to be due to firewall settings, because I get the same, when I switch off the firewalls (host and guest).

I tried to solve it by setting port 8887 in /etc/vmware/vmnet8/nat/nat.conf (8887 = 192.168.77.10:21) and connecting to port 8887 with my ftp-client as well as by activating ports under 1024 in /usr/lib/vmware/configurator/vmnet-nat.conf manually:
> [privilegedTCP]
> autodetect = 1
> port = 21

Negative

Any ideas?

Regards
agri

 

Does your SuSE firewall allow connections on port 21?

Did you try both active and passive transfers in your FTP client?

 

Hi Falko!

Yes, it does. But it does not even work, if I switch off the firewall...

Yes, I did.

BTW: the user in question is NOT administrator - nonetheless he should be able to access his own webspace at .../~webx_username, shouldn't he?

Regards
agri

 

netstat -tap (rather long ...)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:vmware-authd *:* LISTEN 7483/xinetd
tcp 0 0 *:5801 *:* LISTEN 7483/xinetd
tcp 0 0 *:mysql *:* LISTEN 7578/mysqld
tcp 0 0 *:8333 *:* LISTEN 7624/httpd.vmware
tcp 0 0 *:5901 *:* LISTEN 7483/xinetd
tcp 0 0 *:sunrpc *:* LISTEN 7326/portmap
tcp 0 0 *:http-alt *:* LISTEN 8004/python
tcp 0 0 *:ndmp *:* LISTEN 7557/perl
tcp 0 0 *:6001 *:* LISTEN 16385/Xvnc
tcp 0 0 *:intu-ec-client *:* LISTEN 8004/python
tcp 0 0 *:ipp *:* LISTEN 8002/cupsd
tcp 0 0 *:radan-http *:* LISTEN 8004/python
tcp 0 0 localhost:smtp *:* LISTEN 7705/master
tcp 0 0 *:8222 *: * LISTEN 7624/httpd.vmware
tcp 0 0 eo-dell-1850f.ku-e:6001 eo-dell-1850f.k:imgames VERBUNDEN 16385/Xvnc
tcp 0 0 localhost:10274 localhost:5901 VERBUNDEN 16377/0
tcp 0 0 eo-dell-1850f.ku-e:6001 eo-dell-:fastechnologlm VERBUNDEN 16385/Xvnc
tcp 0 0 eo-dell-1850f.ku-e:6001 eo-dell-1850f.ku:cardax VERBUNDEN 16385/Xvnc
tcp 0 0 eo-dell-1850f.ku-e:6001 eo-dell:cplscrambler-lg VERBUNDEN 16385/Xvnc
tcp 0 0 eo-dell-1850f.ku-e:6001 eo-dell-1850:webobjects VERBUNDEN 16385/Xvnc
tcp 0 0 eo-dell-1850f.ku-e:6001 eo-dell-185:ansoft-lm-2 VERBUNDEN 16385/Xvnc
tcp 0 0 eo-dell-1850f.ku-e:6001 eo-dell-185:ansoft-lm-1 VERBUNDEN 16385/Xvnc
tcp 0 0 eo-dell-1850f.ku-e:6001 eo-dell-18:amt-esd-prot VERBUNDEN 16385/Xvnc
tcp 0 36 eo-dell-1850f.ku-e:6001 eo-dell-1850f: pvuniwien VERBUNDEN 16385/Xvnc
tcp 0 0 eo-dell-1850f.ku-e:6001 eo-dell-1850f.ku-:socks VERBUNDEN 16385/Xvnc
tcp 0 0 localhost:5901 localhost:10274 VERBUNDEN 16385/Xvnc
tcp 0 0 eo-dell-1850f.ku-e: 6001 eo-dell-1:gmrupdateserv VERBUNDEN 16385/Xvnc
tcp 0 0 eo-dell-1850f.ku-e:6001 eo-dell-1850f:syscomlan VERBUNDEN 16385/Xvnc
tcp 0 0 eo-dell-1850f.ku-e:6001 eo-dell-1850f.:nicelink VERBUNDEN 16385/Xvnc
tcp 0 0 eo-dell-1850f.ku-e:6001 eo-dell-1850f.ku-:rootd VERBUNDEN 16385/Xvnc
tcp 0 0 eo-dell-1850f.ku-e:6001 eo-dell-1850f.ku: proofd VERBUNDEN 16385/Xvnc
tcp 0 0 eo-dell-1850f.ku-e:6001 eo-dell-1850f.ku-: obrpd VERBUNDEN 16385/Xvnc
tcp 0 0 eo-dell-1850f.ku-e:6001 eo-dell-1850f.ku-:ff-sm VERBUNDEN 16385/Xvnc
tcp 0 0 eo-dell-1850f.ku-e:6001 eo-dell-1850f.ku:ff-fms VERBUNDEN 16385/Xvnc
tcp 0 0 eo-dell-1850f.ku-e:6001 eo-dell-1850f.ku-e:9792 VERBUNDEN 16385/Xvnc
tcp 32 0 eo-dell-1850f.ku-e:9792 eo-dell-1850f.ku-e:6001 VERBUNDEN 16392/-eo-dell-1850
tcp 0 32 eo-dell-1850f.ku-e:6001 eo-dell:cplscrambler-al VERBUNDEN 16385/Xvnc
tcp 0 0 eo-dell-1850f.ku-e:6001 eo-dell-1850f.ku-e:mctp VERBUNDEN 16385/Xvnc
tcp 0 0 eo-dell-1850f.ku-e:6001 eo-dell-185:rmiregistry VERBUNDEN 16385/Xvnc
tcp 0 0 localhost:exosee localhost:sunrpc TIME_WAIT -
tcp 0 0 localhost:cap localhost:sunrpc TIME_WAIT -
tcp 0 0 localhost:blackjack localhost:sunrpc TIME_WAIT -
tcp 0 0 localhost:iad2 localhost:sunrpc TIME_WAIT -
tcp 0 0 localhost:iad1 localhost:sunrpc TIME_WAIT -
tcp 0 0 localhost:solid-mux localhost:sunrpc TIME_WAIT -
tcp 0 0 localhost:1028 localhost:sunrpc TIME_WAIT -
tcp 0 0 eo-dell-1850f.ku:ff-fms eo-dell-1850f.ku-e:6001 VERBUNDEN 16553/konqueror [kd
tcp 0 0 eo-dell-1850f.ku-:ff-sm eo-dell-1850f.ku-e:6001 VERBUNDEN 16554/konqueror [kd
tcp 0 0 eo-dell:cplscrambler-al eo-dell-1850f.ku-e:6001 VERBUNDEN 16552/konsole [kdei
tcp 0 0 eo-dell-1850f.ku-:rootd eo-dell-1850f.ku-e:6001 VERBUNDEN 16564/kwrite [kdein
tcp 0 0 eo-dell-1850f.:nicelink eo-dell-1850f.ku-e:6001 VERBUNDEN 16565/konqueror [kd
tcp 0 0 eo-dell-1850f.ku-brpd eo-dell-1850f.ku-e:6001 VERBUNDEN 16555/konqueror [kd
tcp 0 0 eo-dell-1850f.kuroofd eo-dell-1850f.ku-e:6001 VERBUNDEN 16563/kate [kdeinit
tcp 0 0 eo-dell-1:rmiactivation eo-dell-1850f.ku-e:6001 TIME_WAIT -
tcp 0 0 eo-dell-185:rmiregistry eo-dell-1850f.ku-e:6001 VERBUNDEN 16573/knotify [kdei
tcp 0 0 eo-dell-185:cnrprotocol eo-dell-1850f.ku-e:6001 TIME_WAIT -
tcp 0 0 eo-dell-1:sunclustermgr eo-dell-1850f.ku-e:6001 TIME_WAIT -
tcp 0 0 eo-dell-1850f.ku-e:mctp eo-dell-1850f.ku-e:6001 VERBUNDEN 16518/klauncher [kd
tcp 0 0 eo-dell-18: pt2-discover eo-dell-1850f.ku-e:6001 TIME_WAIT -
tcp 0 0 eo-dell-1: kyoceranetdev eo-dell-1850f.ku-e:6001 TIME_WAIT -
tcp 0 0 eo-dell-1850f.k:fpo-fns eo-dell-1850f.ku-e:6001 TIME_WAIT -
tcp 0 0 eo-dell-185:instl_boots eo-dell-1850f.ku-e:6001 TIME_WAIT -
tcp 0 0 eo-dell-1850f.ku-: jstel eo-dell-1850f.ku-e:6001 TIME_WAIT -
tcp 0 0 eo-dell-1850f:syscomlan eo-dell-1850f.ku-e:6001 VERBUNDEN 16482/dbus-launch
tcp 0 0 eo-dell-1: gmrupdateserv eo-dell-1850f.ku-e:6001 VERBUNDEN 16521/kded [kdeinit
tcp 0 0 eo-dell-18: bsquare-voip eo-dell-1850f.ku-e:6001 TIME_WAIT -
tcp 0 0 eo-dell-185:instl_bootc eo-dell-1850f.ku-e:6001 TIME_WAIT -
tcp 0 0 eo-dell-: cognex-insight eo-dell-1850f.ku-e:6001 TIME_WAIT -
tcp 0 0 eo-dell-:fastechnologlm eo-dell-1850f.ku-e:6001 VERBUNDEN 16526/kaccess [kdei
tcp 0 0 eo-dell-1850f.k:rdrmshc eo-dell-1850f.ku-e:6001 TIME_WAIT -
tcp 0 0 eo-dell-1850f.ku:cardax eo-dell-1850f.ku-e:6001 VERBUNDEN 16513/kdeinit Runni
tcp 0 0 eo-dell-1: bridgecontrol eo-dell-1850f.ku-e:6001 TIME_WAIT -
tcp 0 0 eo-dell-1:avocent-proxy eo-dell-1850f.ku-e:6001 TIME_WAIT -
tcp 0 0 eo-dell-185:asprovatalk eo-dell-1850f.ku-e:6001 TIME_WAIT -
tcp 0 0 eo-dell-1850f:dab-sti-c eo-dell-1850f.ku-e:6001 TIME_WAIT -
tcp 0 0 eo-dell-1850f.k:imgames eo-dell-1850f.ku-e:6001 VERBUNDEN 16521/kded [kdeinit
tcp 0 0 eo-dell-18:amt-esd-prot eo-dell-1850f.ku-e:6001 VERBUNDEN 16539/kdesktop [kde
tcp 0 0 eo-dell-185:ansoft-lm-1 eo-dell-1850f.ku-e:6001 VERBUNDEN 16541/kicker [kdein
tcp 0 0 eo-dell-1850f.ku-:socks eo-dell-1850f.ku-e:6001 VERBUNDEN 16536/ksmserver [kd
tcp 0 0 eo-dell-1850f: pvuniwien eo-dell-1850f.ku-e:6001 VERBUNDEN 16537/kwin [kdeinit
tcp 0 0 eo-dell: cplscrambler-lg eo-dell-1850f.ku-e:6001 VERBUNDEN 16549/suseplugger [
tcp 0 0 eo-dell: cplscrambler-in eo-dell-1850f.ku-e:6001 TIME_WAIT -
tcp 0 0 eo-dell-185:ansoft-lm-2 eo-dell-1850f.ku-e:6001 VERBUNDEN 16543/kpowersave [k
tcp 0 0 eo-dell-1850:webobjects eo-dell-1850f.ku-e:6001 VERBUNDEN 16546/klipper [kdei
tcp 0 0 192.168.77.1:26791 192.168.77.10:hosts2-ns VERBUNDEN 16575/konquerorJW4L
tcp 0 0 *:www-http *:* LISTEN 7925/httpd2-prefork
tcp 0 0 *:6001 *:* LISTEN 16385/Xvnc
tcp 0 0 *:ssh *:* LISTEN 7469/sshd
tcp 0 0 localhost:smtp *:* LISTEN 7705/master
tcp 0 0 *:https *:* LISTEN 7925/httpd2-prefork
tcp 0 0 eo-dell-1850f.ku-ei:ssh ashb-009-02.ku:ncpm-hip VERBUNDEN 16377/0

 

iptables -L (oops!)

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
input_ext all -- anywhere anywhere
input_ext all -- anywhere anywhere
input_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
forward_ext all -- anywhere anywhere
forward_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING '
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '

Chain forward_ext (2 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT-INV '
DROP all -- anywhere anywhere

Chain input_ext (3 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect
ACCEPT esp -- anywhere anywhere
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ftp-data flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ftp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:https flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:https
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:http flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:http
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:8333 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:8333
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:8887 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:8887
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ideafarm-chat flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:ideafarm-chat
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:vmware-authd flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:vmware-authd
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
reject_func tcp -- anywhere anywhere tcp dpt:ident state NEW
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT-INV '
DROP all -- anywhere anywhere

Chain reject_func (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable

 

I don't see FTP in your netstat output. Make sure it's running.

 

Ok, I did not see the obvious - thanks!

I now installed an ftp-server on my host. But seems I don't get forwarded to my virtual machine ...

 

Did you enable FTP for that web site in ISPConfig? Did you create an admin user for that web site in ISPConfig? Please use this admin user to connect to your document root with FTP.

 

Yes, I did.

No, I didn't.

Does this mean, that _any_ user, that wants to upload files to his/her "/web"-directory has to be admin? So anybody who is user with mailaccess, but is not admin cannot upload anything to his/her /web-directory?

Regards
agri

 

He can upload to his web directory, but not to the main document root.
Take a look at chapter 2.2.9 here: http://ispconfig.org/downloads/manual_en/manual_kunde_en_src.htm#4_2_2

 

Ok, got that.

Still: I fiddled around a bit and found out the following:

if I connect to my server via ftp, I get logged into the ftp-root of my host! How can I target to my virtual machine instead (I had hoped ISPConfig would do that for me ;-) ?