proftp and passive mode

6 posts / 0 new
Last post
#1 Fri, 01/08/2010 - 07:10
ChrisBlackwell

proftp and passive mode

I've had to move my VM install to a new box as the old one is failing. and we're having trouble getting proftpd to accept passive connections, in fact some clients (fireftp) wont connect in active mode either, but that could just be the clients. Windows command line ftp and filezilla will connect in active mode fine though.

After a successful login i get the following in FileZilla console


Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (88,208,218,156,229,11).
Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing

and the corresponding login from proftpd's log looks like


::ffff:94.171.227.76 UNKNOWN nobody [08/Jan/2010:13:10:27 +0000] "USER btg" 331 -
::ffff:94.171.227.76 UNKNOWN btg[08/Jan/2010:13:10:30 +0000] "PASS (hidden)" 230 -
::ffff:94.171.227.76 UNKNOWN btg [08/Jan/2010:13:10:30 +0000] "PWD" 257 -
::ffff:94.171.227.76 UNKNOWN btg [08/Jan/2010:13:10:30 +0000] "TYPE I" 200 -
::ffff:94.171.227.76 UNKNOWN btg [08/Jan/2010:13:10:30 +0000] "PASV" 227 -

I read Joe's last post to this thread in which he mentions either allowing all high ports, or RELATED connections through the firewall and I think thats what i've got in my config


[root@web1 ~]# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
...
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW
...
DROP all -- anywhere anywhere

We're running Centos 5.4 and ProFTPD 1.3.0a.
Does anyone have any idea what the issue could be ?

Cheers, Chris

Fri, 01/08/2010 - 09:01
andreychek

Howdy,

Sounds like you may need an FTP tracking module to help iptables out... try running:

modprobe ip_conntrack_ftp

And then try FTP again and see if that helps.

-Eric

Fri, 01/08/2010 - 09:15 (Reply to #2)
ChrisBlackwell

thanks, that's got it working. now, what should i do to make sure that is loaded after a reboot ?

EDIT..

i've added it to /etc/sysconfig/iptables-config

IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp"

everything seems to work fine after i do a service iptables restart so hopefully thats the right thing.

Cheers, Chris

Fri, 01/08/2010 - 09:19 (Reply to #3)
andreychek

Oh that's wonderful, I was just starting to look into how CentOS handles loading modules such as that.

I'm glad it works, thanks for the update!

-Eric

Thu, 03/18/2010 - 16:11
Junaid

Hello, just registered to say thanks for providing the information on this fix and the update, by saving the module in the iptables-config file it resolved the issues with ftp clients being unable to connect to our development server in passive mode. Thanks.

Thu, 04/08/2010 - 01:23
lvsys

To make this change permanent on Ubuntu, add the "ip_conntrack_ftp" module to the list of modules in /etc/modules so that it's available on reboot too.

I just had this problem on my server, not sure what caused it to fail since it worked so well for a few days.

Topic locked