I've just installed vsftpd, and started the service. The service is running, and my netstat dump shows it (See below). I've also enabled anonymous access for good measure. However, when I try to access the server with an FTP client, or even just telnet to port 21, I get a "connection refused".
How do I troubleshoot this?
netstat -a:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:11110 *:* LISTEN
tcp 0 0 *:mysql *:* LISTEN
tcp 0 0 *:macromedia-fcs *:* LISTEN
tcp 0 0 *:ndmp *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost:19350 *:* LISTEN
tcp 0 0 *:lmsocialserver *:* LISTEN
tcp 0 0 localhost:19350 localhost:60863 ESTABLISHED
tcp 0 0 mischost:ssh c-71-56-64-141.hsd1.g:62946 ESTABLISHED
tcp 0 0 localhost:60863 localhost:19350 ESTABLISHED
tcp 0 196 mischost:ssh c-71-56-64-141.hsd1.g:18606 ESTABLISHED
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 mischost:http baiduspider-123-125-7:25479 FIN_WAIT2
udp 0 0 *:ndmp *:*
/etc/sysconfig/iptables:
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:92]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1935 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1111 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT
iptables -L -n:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
REJECT all -- 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1935
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1111
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `iptables denied: '
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
"Connection Refused" is very specific. It means that when you tried to connect to this service (by sending an SYN packet), you got a specific response (a RST packet) meaning "the server is there, but not offering a service on that port. without any firewalls in the way, this is the response you'd get if nothing was actually listening on that port. Since you've verified that something IS listening on that port, this response MUST have come from some firewall, Either the firewall on the server itself (which you could check with
iptables -L -n) or some other firewall in between you and the server. If its not the server itself, it could be any other router in between server and client.This all assumes that you try to telnet to the correct ip address.
Check the firewall if port 21 is open and you have modules in the firewall for connection tracking of the data stream.