Hi!!
I am using FileZilla to connect to FTP Server and successfully connected and listed the directory and files. I have changed the FTP port to 2121 and allowed port 20 and 2121 in my centOS 5 FW but unable to list out the files and directories.
I think FW is blocking it but don't know how...


Below is the time by time statuses of the connection:



Status: Connecting to 172.29.0.29:2121...
Status: Connection established, waiting for welcome message...
Response: 220 WELCOME!!! to my FTP Server...Now don't mess with it..ok!!
Command: USER FTP_User2
Response: 331 Please specify the password.
Command: PASS **********
Response: 230 Login successful.
Status: Server does not support non-ASCII characters.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/"
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PASV
Response: 227 Entering Passive Mode (172,29,0,29,51,59).
Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing

Thanx in advance for the help.

Check that:
1) your IP is allowed through the firewall
2) Passive Mode is enabled in your ftp config file

The FTP protocol uses two sockets for connection. One is for the command channel, the other is for data. When the client issues a command, it must setup a return port... and that port may not work (many firewalls/NAT devices will block it).

Using passive mode reverses the connection for the data channel, and that usually works around the problem of firewall blocking.

If you are using iptables you need to tell the ftp module of netfilter the new port 2121, which can be done when loading the module. Sorry am on my phone or would get you a link, but should be enough info for you to Google

You can use uset the host name as ftp://ipaddress.So that it will connect the server automatically.It is very secureone.

---------- Post added 03-15-13 at 01:18 AM ----------

Check the firewall once.Weither port was enable or not.otherwise enable the port number.

Post output of below commands:-

# iptables -L
# sestatus

And how did you verified FW configuration ? Post rules.

Below is the result for iptables -L:

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data flags:FIN,SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp dpt:scientia-ssdb flags:FIN,SYN,RST,ACK/SYN
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT udp -- anywhere anywhere state NEW udp dpt:xdmcp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:scientia-ssdb
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED tcp dpt:6001
ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED tcp dpt:x11-ssh-offset
ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED tcp dpt:6009
ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED tcp dpt:6008
ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED tcp dpt:6007
ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED tcp dpt:6006
ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED tcp dpt:6005
ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED tcp dpt:6004
ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED tcp dpt:6003
ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED tcp dpt:6002
ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED tcp dpt:6001




I have disabled selinux

Below are the rules added in /etc/sysconfig/iptables file:
-A INPUT -p tcp -m tcp --dport 20 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2121 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport
20 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2121 -j ACCEPT

I added the rules in /etc/sysconfig/iptables file. Is it ok to do this.
Actually i don't have much idea of iptables.

Those rules are fine, but you are not using port 20 you are using pasv. As above, you need to unload nf_conntrack_ftp and then load it with ports=2121 as the arguments

Using modprobe

Thank you droyden :-) I have enabled the pasv ports in /etc/vsftpd/vsftpd.conf file and mentioned max and min ports for pasv use. Allow them in my FW. My problem is now solved. Thank you very much for response :-)