View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions ftp: connect: Connection timed out
Log in to Ask a Question
✓ Solved

ftp: connect: Connection timed out

ftp firewall iptables ufw passive-ftp active-ftp established related

Hi Guys,

I'm facing an issue on my Linode.

I'm trying to reach another server trough FTP but I got….

ftp: connect: Connection timed out

Any thoughts ?

TY

6 Replies

✓ Best Answer

Problem solved.

It was a misconfiguration in UFW.

If someone have same problem, hit the command ufw status to see if rules on port 21 are correctly configured.

Linode Staff

If you are certain that there is an FTP server running on the destination host, a connection timeout suggests that there may be a firewall dropping your traffic (either locally or on the FTP server).

Do you know if your FTP server has a firewall with an allow list? That would be the first place I'd check, followed by the local firewall on your server to make sure it isn't dropping your outbound traffic.

Thanks for the reply.
Yes the FTP server is accessible from FileZilla or other hosting.
FTP server has IP restriction and the Linode IP was added.
That said, a local firewall is blocking the outbound requests as you said.
Does Linode has initial/basic configuration on that ?

Ps: I didn't set the Linode server

Linode Staff

To get more specific guidance, knowing more details could help:

  • Your Linode's distribution?
  • What ftp client you are using?
  • What server you are trying to connect to?
  • Are you attempting to access the remote site in active or passive mode?
  • Are you using Linode Cloud Firewalls?
  • Are you using a firewall on your Linode?
  • Are you accessing the ftp using a domain name or an IP address?
  • Is the remote server under your control?

In general "ftp: connect: Connection timed out" means that your client sent a request and waited for a while for an answer, but never got one.

Some of the reasons this could happen are:

  • The remote server is not online.
  • The remote ftp server is not running.
  • DNS is resolving the wrong IP address for the remote server and is directing you to server that does not provide ftp.
  • A firewall is blocking access to port 21.
  • If the remote server is behind NAT, such as on a home network, port forwarding may not be configured correctly.
Linode Staff

Hi guys, I only saw the above updates after I posted my response.

Does Linode has initial/basic configuration on that ?

FTP is not blocked, but most distributions do not install a legacy ftp command line client or server by default.

FTP server has IP restriction and the Linode IP was added.

The server may need to have its configuration reloaded to allow your Linode's IP to access it.

That said, a local firewall is blocking the outbound requests as you said. Does Linode has initial/basic configuration on that ?

In general, FTP could use two different modes, ACTIVE and/or PASSIVE. Each mode would require a separate firewall configuration on both client and server. The commands for HOW to configure the firewall depend on which firewall is being used.

I am going to update this with more specific details, but it will take time to write this up for you.

Linode Staff

FTP Overview

What follows is an over simplification and does not account for the possibility that FTP sessions could be directed to a server or client other than to which the initiating request was made. It also does not discuss NAT traversal.

FTP uses two sessions, one for control and one for data. It can operate in active mode or passive mode (if both the client and server support passive mode).

Active FTP

  • Control Connection:

    • The client uses any of the ephemeral port numbers (1024–65535) to connect to the server on port 21 and send a PORT command telling the server which port that it will listen on to establish the separate data connection.

    • The server sends an ACK back over the control connection.

  • Data Connection:

    • The server opens the data connection from port 20 back to the port the client said it would be using.
    • The client sends an 'ACK' back over the data connection.

Passive FTP

  • Control Connection

    • The client uses any of the ephemeral port numbers (1024–65535) to connect to the server on port 21 and send a FTP PASV command asking the server which port the server will listen on to establish the separate data connection.

  • Data Connection:

    • The client uses another of the ephemeral port numbers to connect to the server on the port it said it would listen on. The server sends back an ACK on the data connection.

Firewall Considerations

I will discuss netfilter firewall, controlled by iptables. Your kernel must have conntrack support for ftp (this is usually the case, but I am noting it here as a potential gotcha.)

Each connection has a state, such as NEW, ESTABLISHED, or RELATED.

  • The first traffic seen by the firewall is considered NEW.

  • ESTABLISHED means the firewall has seen traffic in both directions.

  • A RELATED state means that it is related to an ESTABLISHED connection.

Client Side

  • Client Side, Active Mode or Passive Mode, Control Connection:
# The client must allow new and established outgoing traffic to port 21

iptables -A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

# The client must allow incoming traffic in response to the outgoing connection

iptables -A INPUT -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
  • Client Side, Active Mode, Data Connection
# The client must now allow new incoming traffic from port 20, related to the other established connection or if it is part of this connection that has already been established.

iptables -A INPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT

# The client must allow outgoing traffic to port 20 from an established connection

iptables -A OUTPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
  • Client Side, Passive Mode, Data Connection:
# Allow outbound connections from an ephemeral port for a related connection
iptables -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow inbound connections to continue
iptables -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Server Side

  • Server Side, Control Connection
# Allow inbound connections from an example client
iptables -A INPUT -s 192.0.2.13/32 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow response outbound
iptables -A OUTPUT -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
  • Server Side, Active Mode, Data Connection
# Allow outbound connection from port 20 to the port the client said it would be using
iptables -A OUTPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow client to respond to established connection
iptables -A INPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
  • Server Side, Passive Mode, Data Connection
# Server allows incoming connection on the port it told client about
iptables -A INPUT -p tcp -m tcp --sport 1024:65535 -dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow established connections to continue
iptables -A OUTPUT -p tcp -m tcp --sport 1024:65535 -dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct