Hello, just started up a new server, a KVM machine with it's own IP (no router anywhere just a bridge on the host), everything worked. Problem is I started restoring domains, but the proftpd 1.3.3 server is not working well and was notified by one of the users, it authenticates the user but fails listing. This I think is not a routing problem, because I disabled iptables and still no luck!
I droped my configuration and thought to start from scratch, took it from the proftpd website and just commented the anonymus section, restarted proftpd about 100 times, and the network, and iptables, and even the VM:
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "ProFTPD Default Installation"
ServerType standalone
DefaultServer on
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30
# Set the user and group under which the server will run.
User nobody
Group nobody
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~
# Normally, we want files to be overwriteable.
<Directory />
AllowOverwrite on
</Directory>
# A basic anonymous configuration, no upload directories. If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
# <Anonymous ~ftp>
# User ftp
# Group ftp
# We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
# MaxClients 10
# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayFirstChdir .message
# Limit WRITE everywhere in the anonymous chroot
# <Limit WRITE>
# DenyAll
# </Limit>
# </Anonymous>
But FIlezilla keeps on telling me (doesn't work with dolphin or any of the browsers, no problems to other servers), with any user tried:
Status: Resolving address of ftp.mumu.ro
Status: Connecting to 80.97.65.222:21...
Status: Connection established, waiting for welcome message...
Response: 220 ProFTPD 1.3.3e Server (ProFTPD Default Installation) [::ffff:80.97.65.222]
Command: USER fakemoth
Response: 331 Password required for fakemoth
Command: PASS **********
Response: 230 User fakemoth logged in
Command: OPTS UTF8 ON
Response: 200 UTF8 set to on
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is the current directory
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (80,97,65,222,217,155).
Command: MLSD
Error: Connection timed out
Error: Failed to retrieve directory listing
With active mode I get the same problem with listing:
Status: Disconnected from server
Status: Resolving address of ftp.mumu.ro
Status: Connecting to 80.97.65.222:21...
Status: Connection established, waiting for welcome message...
Response: 220 ProFTPD 1.3.3e Server (ProFTPD Default Installation) [::ffff:80.97.65.222]
Command: USER fakemoth
Response: 331 Password required for fakemoth
Command: PASS **********
Response: 230 User fakemoth logged in
Command: SYST
Response: 215 UNIX Type: L8
Command: FEAT
Response: 211-Features:
Response: MDTM
Response: MFMT
Response: LANG zh-TW;ru-RU;bg-BG;zh-CN;ja-JP;ko-KR;en-US;fr-FR;it-IT
Response: TVFS
Response: UTF8
Response: MFF modify;UNIX.group;UNIX.mode;
Response: MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
Response: REST STREAM
Response: SIZE
Response: 211 End
Command: OPTS UTF8 ON
Response: 200 UTF8 set to on
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is the current directory
Command: TYPE I
Response: 200 Type set to I
Command: PORT 79,117,71,38,155,198
Response: 200 PORT command successful
Command: MLSD
Response: 425 Unable to build data connection: No route to host
Error: Failed to retrieve directory listing
Nothing of interest in the logs:
Mar 6 07:56:18 ns1 proftpd[10134]: ns1.mumu.ro (::ffff:79.117.71.38[::ffff:79.117.71.38]) - FTP session opened.
Mar 6 07:56:18 ns1 proftpd[10134]: ns1.mumu.ro (::ffff:79.117.71.38[::ffff:79.117.71.38]) - Preparing to chroot to directory '/home/fakemoth'
Mar 6 07:59:01 ns1 proftpd[9302]: ns1.mumu.ro (::ffff:79.117.71.38[::ffff:79.117.71.38]) - Client session idle timeout, disconnected
Mar 6 07:59:01 ns1 proftpd[9302]: ns1.mumu.ro (::ffff:79.117.71.38[::ffff:79.117.71.38]) - FTP session closed.
Just in case:
> iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ProFTPD tcp -- anywhere anywhere tcp dpt:ftp
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- kirchoff.syncrovision.com anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW
ACCEPT udp -- anywhere anywhere udp dpt:domain state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:imap state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:urd state NEW
ACCEPT udp -- anywhere anywhere udp dpt:igmpv3lite state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ftps state NEW
ACCEPT udp -- anywhere anywhere udp dpt:imaps state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:submission state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:5901 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:commtact-http state NEW
ACCEPT tcp -- anywhere anywhere tcp dpts:ndmp:rxapi state NEW
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain fail2ban-ProFTPD (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
By the way there are no need of other opened ports as I have the modules (first thing that came in mind when I saw "Response: 425 Unable to build data connection: No route to host" but for some weird reason in CentOS 6.3 x64 they ar called nf_... and not ip_.. also checked if they are loaded - they are):
> service iptables restart
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter mangle nat [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
iptables: Loading additional modules: nf_conntrack nf_conntrack_netbios_ns nf_conntrack_ftp nf_conntrack_tftp [ OK ]
What could be wrong here, any other info that you would need?
Howdy,
It sounds like you're seeing the issue described here in the section "FTP Server Isn't Working":
http://www.virtualmin.com/documentation/web/faq
If you try that, does that resolve your issue?
-Eric
Thanks for your interest in this! As I said, tried with iptables stoped - it should work even without the modules. But I have them - wrote at the end. They are called nf_conntrack........ in fact in CentOS 6, don't know why. Tried with ip_conntrack........ but they do not exist. Searched the web and found out they are the same.
I know about that article because I had previous problems with my 5.x CentOS. So this is not it. Does the host influence in any way the KVM VM ? From my part, I guess not, a bridge is just a bridge, right?
Don't take the name of root in vain...Howdy,
That module isn't just about iptables -- that module can work around a whole host of issues that come up, as there's a variety of things that cause the problem you're seeing.
Certain routers and network configurations can cause that, for example, even with iptables disabled.
However, the solution to all of those problems is, in general, loading that particular module :-)
In your case, since it sounds the like module name may be slightly different, you could try this:
modprobe nf_conntrack_ftpOr did I misunderstand, and you are in fact already using the nf_conntrack_ftp module?
I'm not sure if the host can cause that though... I honestly hadn't heard of a case of the error you're seeing where loading that module didn't fix it. But you could perhaps try loading that on the host as well, that may be worth a shot if loading it on the guest isn't working.
-Eric
The module is loaded, checked that:
> modprobe -l | grep nf_conntrack_ftpkernel/net/netfilter/nf_conntrack_ftp.ko
The problem was somewhere else, on the host as I guessed! As soon as I added those in /etc/sysconfig on the host everything started to work miracously and now I can take a break for like another 3 years on the FTP side :)
This is a bug recently introduced somehow, during an update or something, as a month ago it was working fine... nothing else happened, didn't mess the config, just updates.
Thanks for your help, you should get this in the documentation too ;)
Don't take the name of root in vain...I'm sorry but I'm trying to follow what you did to solve this problem. I have the exact same issue and I looked through everything you looked through. You said "As soon as I added those in /etc/sysconfig on the host". As soon as you added what on the host?
Any help would be super appreciated
You have to load some modules for iptables on the host. Add in /etc/sysconfig/iptables-config file the following (or replace what you have on the first line, was refering to loading the modules, forgot to add the file to the path; it's best not to load them by hand):
IPTABLES_MODULES="nf_conntrack nf_conntrack_netbios_ns nf_conntrack_ftp nf_conntrack_tftp"
... and you are good to go!
Don't take the name of root in vain...Hello - so, problem solved BUT :) I would like to use TLS for secure connections. As I understand it when using TLS the conntrack modules can't take a peek into the ftp data because it's... well... encrypted. One way is to use ccc command into the client, but read on the filezilla forums that this is bullshit.
So I have to use passive ports; problem is opened a range in firewall, put the directive in proftpd.conf, but I get the same Error: GnuTLS error -53: Error in the push function.
Can someone enlight me on this?
TY!
Don't take the name of root in vain...Howdy,
I hadn't run into that before, but poking around a bit on Google, I see a few folks who got that where the issue was an issue in the client.
Is there any chance you could try a different FTP client, and see if it works at that point?
-Eric
Will do and report back, I'm busy with some fried sausages, tzuica and wine kind of a romanian equinox tradition :)
Don't take the name of root in vain...That sounds delicious, I wish I was there to share that with you guys! I never had tzuica. I'll keep my eyes open to see if anyone has that here in the US :-)
-Eric
Late reply: correctly "Țuică" (Romanian pronunciation: [ˈt͡sujkə]; sometimes spelled tuica, tzuika, tsuika, tsuica, or tzuica) is a traditional Romanian spirit that contains 28%-60% alcohol by volume (usually 40-45%), prepared only from plums. Other spirits that are produced from some other fruit or from a cereal grain are called "rachiu" or "rachie."
In fact it was "Pălincă" wich means it's distilled twice, and considered to be good in my area (Transylvania, no vampires here btw) only above 50% :) Tastes vary regarding the combination of fruits if it's not made only from plums. If we will ever meet I swear you will... hmmm at least taste it if not getting a little dizzy :D
Don't take the name of root in vain...