Tested on: Ubuntu 11.04 (natty)
This is how I got vsftpd server work behind a router. If you are getting errors like "Server sent passive reply with unroutable address. Using server address instead." or "500 illegal port command" on list (ls) command, this post might help. Setting passive mode configuration correctly is the trick.
Please note that this may not be the perfect solution or even worse - not very secure. Read vsftpd.conf manual before applying any changes.
Make sure port 20, 21 and few more ports, for example 4242-4252, are being forwarded to the server. We will need these extra ports for passive mode - set pasv_min_port and pasv_max_port accordingly in the configuration file. Add following to /etc/vsftpd.conf .
Here are some more configurations with comments:
For more security, you can also modify the login-shell of a dummy ftp user to something like /bin/false - which does not exist. Use following command
This is how I got vsftpd server work behind a router. If you are getting errors like "Server sent passive reply with unroutable address. Using server address instead." or "500 illegal port command" on list (ls) command, this post might help. Setting passive mode configuration correctly is the trick.
Please note that this may not be the perfect solution or even worse - not very secure. Read vsftpd.conf manual before applying any changes.
Make sure port 20, 21 and few more ports, for example 4242-4252, are being forwarded to the server. We will need these extra ports for passive mode - set pasv_min_port and pasv_max_port accordingly in the configuration file. Add following to /etc/vsftpd.conf .
connect_from_port_20=YES
pasv_enable=YES
pasv_addr_resolve=YES
pasv_address=myaddress.dyndns.com
pasv_min_port=4242
pasv_max_port=4252
Set pasv_address to your domain name. You can use dyndns for dynamic ip-address. vsftpd will convert your domain name to ip address when vsftpd server starts. Note that if your ip address changes after vsftpd has started it will not update the ip-address. There has been some attempt to the solve it.Here are some more configurations with comments:
# Only allow FTP access to users listed in file /etc/vsftpd.userlist
# Other users will not have ftp access
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd.userlist
# Disable delete commands
cmds_denied=DELE,RMD
# Verbose logging
log_ftp_protocol=YES
# You may restrict local users to their home directories. See FAQ for
# the possible risks in this before using chroot_local_user
chroot_local_user=YES
For more security, you can also modify the login-shell of a dummy ftp user to something like /bin/false - which does not exist. Use following command
sudo usermod -s /bin/false <username>
In order to make this work you have to add /bin/false to the file /etc/shells. Or else vsftpd will generate login error when the user logs in using ftp.