0

I'm trying to reach my server's FTP-port by its Elastic IP. I've configured the security group as follows:

Inbound Type Protocol Port Range Destination All traffic All All 10.0.0.0/8 Custom TCP Rule TCP 20 - 21 0.0.0.0/0 Custom TCP Rule TCP 2048 - 10240 0.0.0.0/0 Outbound Type Protocol Port Range Destination All traffic All All 0.0.0.0/0

But I still can not get a response, when FTP-ing from the outside. Running tcpdump on the server, I see the connection come in: 108.53.86.X.60187 > 10.95.76.163.ftp: Flags [S], cksum 0xe8e3 (correct), seq 2617787548, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 4094985480 ecr 0], length 0

The server replies right away too: 10.95.76.163.ftp > 108.53.86.X.60187: Flags [S.], cksum 0x79e2 (correct), seq 2393660903, ack 2617787549, win 17898, options [mss 8961,sackOK,TS val 2177008039 ecr 4094927043,nop,wscale 7], length 0 but the connecting client never receives the reply...

It must be something foolishly obvious, but I am at a loss... Any ideas? Thank you!

Update: I just tried ssh-ing out of the server into the external box -- successfully. However, the IP-address seen on the external box is different from the Elastic IP I tried to FTP into. Is this a manifestation of a problem with default routing? The server uses the same private igw as all other systems on the VPC, but none of them need to accept direct connections...

Mikhail T.
  • 2,338
  • 1
  • 24
  • 55
  • What does the ftp log on the server side say? Can you post the client command and output? – dmourati Jun 02 '15 at 01:16
  • Does not say anything -- the initial connection is never established... Tcpdump reports packets arriving to the server and responses being sent, but the client never hears them for some reason. The client is simple command-line `ftp el.ast.ic.ip` – Mikhail T. Jun 02 '15 at 01:19
  • Try tcpdump on the client? – dmourati Jun 02 '15 at 04:22
  • Look at iptables output on the server? – dmourati Jun 02 '15 at 04:30
  • If VPC, have you tampered with the Network ACLs in your VPC? (Hint: don't; default config there is allow all... put it back, if you changed it). – Michael - sqlbot Jun 02 '15 at 10:32
  • tcpdump on the client lists no responses at all. iptables on the server is fully permissive (no rules whatsoever). Michael, yes, this server is on a VPC -- but with an Elastic IP of its own. What rules should I check? Normally, we don't allow _any_ external traffic to the, so the fact that I'm seeing _something_ reaching this server lead me to believe, I enabled the proper exceptions... No? – Mikhail T. Jun 02 '15 at 12:37

0 Answers0