Cannot connect to external FTP server from within my Docker container

To clarify, I’m trying to connect from my Docker container to an external server over FTP.

I’m able to successfully log in. But as soon as I run any command, I get this error message: 421 Service not available, remote server has closed connection

I’m able to connect to this FTP server and run commands just fine from my Mac terminal. But once I’m inside my Docker container, I get the error.

I’m guessing it’s a firewall issue on the FTP server, but I don’t know what is different about an FTP connection from a Docker container compared to my Mac itself.

Are you using the same FTP client from Terminal and Docker?

Also, you may want to read about the differences between “active” and “passive” FTP, and determine which one you’re using in Terminal. (When it’s “active” then I’d assume that your Mac somehow uses UPnP to open the required incoming ports, which will not work with Docker unless you map a range of ports, or unless you’re using host networking. When it’s “passive”, ensure you’re using that in Docker too; I feel that should work if the FTP server supports it.)

And finally: I assume it’s not SFTP nor FTPS?

1 Like

I forgot to mention it before, but I’ve tried with passive mode on and passive mode off.

I just discovered that if I turn off the firewall on the FTP server, I’m able to connect with passive mode on.

However, even with the firewall turned off, I still can’t run any commands after connecting to the server. So you’re right that it must be my Docker instance blocking those incoming ports.

I’ll do some research on how to figure out which incoming ports to open and how to open them.

If the ftp server is configured properly, then a container is able to run an ftp client in passiv mode…

Controll questions:
– Did you enable passiv mode on the ftp server?
– Did you specify a passv port range on the ftp server?
– Did you unblock the pass port range on the ftp servers firewall?

In case the ftp server does not have a public ip:
– Did you specify the WAN IP (or dyndns domain that resolves to your WAN IP) the server reports to the ftp client on which it expects the next data connection?
– Did you forward the whole passv range from WAN to your ftp server?
– If your WAN device requires the firewall to be unblocked additionaly: did you do so?

No incoming ports are used on the client for PASV. Understanding the difference will really help you troubleshooting.

Sorry for the copout, any future visitors who find this post.

I ended up just configuring the FTP server to allow passive connections. It was much easier than figuring out how to enable Docker to make an active connection to the FTP server.

I just added the following lines to the vsftpd.conf (I’m using vsftpd for the FTP server):

pasv_enable=Yes
pasv_min_port=10100
pasv_max_port=10110

Then I restarted vsftpd with this command:
sudo systemctl restart vsftpd

And I added that passive port range to the ufw firewall like this:
sudo ufw allow from any to any proto tcp port 10100:10110

Then I reloaded ufw with this command:
ufw reload

Thank you for your help @avbentem and @meyay