Problem with vsFtpd to get my FTPS working.
 

Hello,

I have set up an FTPS on a CentOS server using vsFtpd 2.3.4 but there seems to be a problem when I am trying to connect using FileZilla, I end up with this (I tried active and passive) :

Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing

I had no problem, with the plain text FTP. I assume it might have something to do with IPtables, I'm kind of a noob, can you tell me what to change in Iptables ?

Thanks in advance !

Welcome to LQ!

A couple of things..... First, if plain text FTP works, it is not very likely that iptables is the problem. That would probably affect all FTP clients fairly equally. Second, if for some odd reason it was an iptables problem, we're not going to be able to make any suggestions without knowing what your existing rules set looks like, so you may want to post that.

Now that said, I have had some problems with FileZilla specifically not handling pasv mode very well with a vsFTPd server. You might check with another client (like gFTP) or when you set up a new site in Site Manager (under the File menu), make sure you force it to passive mode.

By the way, if you haven't seen it, this is an comparison of passive and active modes in FTP and what the firewalls have to take into account.

Thanks for the welcome.

I've just tried with BareFTP and the same thing happened : the authentication goes well but it can't read the directory listing.

The current IPtables rules :

Honestly I don't know much about Iptables ...
(the xxxxx are stuffed I censored of course )

Yeah, that sounds like the firewall getting in the way. I'm guessing from what you've posted of your firewall, active ports are open and that is what allows the console FTP to work. Which leaves us trying to get passive mode to work.

If you're just using FTP in your LAN, you might look into using ip_conntrack_ftp in your firewall. However, if you're trying to access this through another device (like a router), you may have to lock down the passive ports so you can forward properly from your router. On my system, I've got this at the end of my vsftpd.conf:


And then on the firewall I've got this:
The first bit simply shuts down the automated login attacks that you'll see if you expose your server to the internet. The second part then accepts the traffic on the ports FTP is listening to. On my router, I forward all those ports to the server.

Thanks hangdog ! now it works !

I modified vsftpd.conf according to your post and I only added this line to my IP tables :

-A INPUT -p tcp -m state -m tcp --dport 50000:51000 --state NEW -j ACCEPT

But now it seems that any IP can connect to those ports so I'm going to try to change that (it's not used in a LAN but for a server connected to the internet, the ftp is used to uploaded content for the website).

That is pretty easy, just limit the source IP addresses with the -s flag. So something like:

iptables -A INPUT -p tcp --dport 21 -s 192.168.1.0/24 -m state --state NEW -j ACCEPT

You can limit either to specific IP addresses or to a range.


If this server is directly connected to to the Internet, you might want to look into using ip_conntrack_ftp. It eliminates the hassle (not that it is much of a hassle) of locking down the port range. I personally don't use it since this approach seems to work for me, but I know I've seen a lot of the folk around here with higher volume FTP servers use it.