Problem with vsFtpd to get my FTPS working.
Hello,
I have set up an FTPS on a CentOS server using vsFtpd 2.3.4 but there seems to be a problem when I am trying to connect using FileZilla, I end up with this (I tried active and passive) : Command: LIST Error: Connection timed out Error: Failed to retrieve directory listing I had no problem, with the plain text FTP. I assume it might have something to do with IPtables, I'm kind of a noob, can you tell me what to change in Iptables ? Thanks in advance ! |
Welcome to LQ!
Quote:
Now that said, I have had some problems with FileZilla specifically not handling pasv mode very well with a vsFTPd server. You might check with another client (like gFTP) or when you set up a new site in Site Manager (under the File menu), make sure you force it to passive mode. By the way, if you haven't seen it, this is an comparison of passive and active modes in FTP and what the firewalls have to take into account. |
Thanks for the welcome.
I've just tried with BareFTP and the same thing happened : the authentication goes well but it can't read the directory listing. The current IPtables rules : Code:
# iptables -L (the xxxxx are stuffed I censored of course ) |
Quote:
If you're just using FTP in your LAN, you might look into using ip_conntrack_ftp in your firewall. However, if you're trying to access this through another device (like a router), you may have to lock down the passive ports so you can forward properly from your router. On my system, I've got this at the end of my vsftpd.conf: Code:
pasv_min_port=50000 And then on the firewall I've got this: Code:
iptables -N FTPBAN |
Thanks hangdog ! now it works !
I modified vsftpd.conf according to your post and I only added this line to my IP tables : -A INPUT -p tcp -m state -m tcp --dport 50000:51000 --state NEW -j ACCEPT But now it seems that any IP can connect to those ports so I'm going to try to change that (it's not used in a LAN but for a server connected to the internet, the ftp is used to uploaded content for the website). |
Quote:
iptables -A INPUT -p tcp --dport 21 -s 192.168.1.0/24 -m state --state NEW -j ACCEPT You can limit either to specific IP addresses or to a range. If this server is directly connected to to the Internet, you might want to look into using ip_conntrack_ftp. It eliminates the hassle (not that it is much of a hassle) of locking down the port range. I personally don't use it since this approach seems to work for me, but I know I've seen a lot of the folk around here with higher volume FTP servers use it. |
All times are GMT -5. The time now is 11:55 AM. |