# [CLOSED] tcp sockets unable to connect

## trossachs

Having just started a major update of a VERY old box, I've run into problems with sockets. Some programs will start and some won't. For example, vsftpd:

```
Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    

tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      7155/imap-login     

tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      14927/slapd         

tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      16753/mysqld        

tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      7155/imap-login     

tcp        0      0 0.0.0.0:6612            0.0.0.0:*               LISTEN      15002/sshd          

tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      6258/vsftpd         

tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      6157/master         

tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      14927/slapd         

tcp6       0      0 :::993                  :::*                    LISTEN      7155/imap-login     

tcp6       0      0 :::389                  :::*                    LISTEN      14927/slapd         

tcp6       0      0 :::139                  :::*                    LISTEN      7027/smbd           

tcp6       0      0 :::143                  :::*                    LISTEN      7155/imap-login     

tcp6       0      0 :::80                   :::*                    LISTEN      2235/httpd          

tcp6       0      0 :::6612                 :::*                    LISTEN      15002/sshd          

tcp6       0      0 :::636                  :::*                    LISTEN      14927/slapd         

tcp6       0      0 :::445                  :::*                    LISTEN      7027/smbd  
```

This will open internally with port 21, but I am unable to bind this to port 21 to enable access from outside. There was an issue with pam, but I removed some old modules which was causing pam 1.1.5 to fail during emerge. Is there anything I have missed?

Things like Dovecot and Apache are ok, but for some reason Vsftpd, which is what I really need, won't open a port.

This was the original module located within /etc/pam.d/vsftpd:

```
# Customized login using htpasswd file

 auth    required pam_pwdfile.so pwdfile /var/www/conf/users

 account required pam_permit.so
```

Last edited by trossachs on Fri Nov 04, 2011 5:52 pm; edited 1 time in total

----------

## eccerr0r

Not sure what you mean by "open a port" - usually that means the client side opening a connection...

By your netstat -l, it does look like vsftp is binding itself and listening to port 21.  It sounds like you can connect locally via "localhost"?

How about another machine on your same subnet/using your external IP address instead of "localhost"?

Are you sure your ISP is not filtering FTP connection requests coming in, if that's the "external" connections you're trying to open?

----------

## trossachs

Thanks for your reply eccerr0r and I apologise if I have not made myself clear.

You are correct in that I can connect via my local LAN to this machine, but I cannot connect externally. My ISP doesn't filter anything as I have business DSL and the box was working until it started to break at the seams. We then began an update.

Normally you would see a tcp connection like this for example:

```
tcp6       0      0 :::21                  :::*                    LISTEN      6258/vsftpd 
```

But this is not the case now and I was wondering if it could be something to do with pam given that I have had some trouble with it when I did an emerge world which is just currently entering its last cycle.

Because the socket does not appear, I am wondering if vsftpd is able to listen for external connections.

----------

## Hu

According to the output from netstat -l, your vsftpd is listening on IPv4 wildcard address.  Since you can connect to it from other machines internally, that further supports the idea that it is working properly.  You might have a packet filter on box that refuses connections from non-reserved addresses or your NAT device might be misconfigured.  What happens if you run tcpdump -p -n 'tcp and port 21', then connect from outside?  Do you capture any traffic?  If yes, then the system is filtering it locally.  If no, then you need to fix the configuration on your NAT device.

----------

## eccerr0r

How are you routing ipv6 packets to your computer?  Is that, or any other ipv6 application working?

The line that you indicate means that vsftpd (you want or) would be listening to ipv6 requests.  Did you intend for ipv6 connections from the outside?  Did you enable ipv6 for vsftp in its configs?  (Sorry, I never used vsftpd before or ipv6, just guessing here.)

----------

## trossachs

I was thinking that actually eccerr0r. I haven't got any ipv6 stuff on the box unless I have enabled it in error. This could also explain the other socket errors I have got at the moment.

----------

## trossachs

All sorted. Have reconfigured vsftpd and I can now reach it from the outside:

```
tcp6       0      0 :::21                   :::*                    LISTEN      23419/vsftpd  
```

----------

## eccerr0r

I guess I like putting post-mortems when things still don't make sense to the debuggers...

I think vsftpd probably only enables IPV4 on default.  According to the initial netstat listeners report, this appears to be true and listening to ipv4.  However IPV6 does not appear to be on, and that is shown.  Then it's claimed that the missing listener is actually ipv6.   But the wringer is that the original poster claims that ipv6 is not being used despite all the ipv6 hints that have been given.

The vsftp reconfiguration which remains a mystery may include just enabling ipv6 support.  If that ended up the true issue and ipv6 really was being used, then this all the facts finally line up and someone could find this thread useful in the future.

----------

## trossachs

Very true eccerrOr.

```
listen_ipv6=yes
```

----------

