Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
![Reply](https://www.linuxquestions.org/questions/images/buttons/reply.gif) |
05-16-2011, 12:24 PM
|
#1
|
Member
Registered: May 2011
Distribution: Cent0S, Fedora, Ubuntu, Debian
Posts: 32
Rep:
|
Problem with vsFtpd to get my FTPS working.
Hello,
I have set up an FTPS on a CentOS server using vsFtpd 2.3.4 but there seems to be a problem when I am trying to connect using FileZilla, I end up with this (I tried active and passive) :
Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing
I had no problem, with the plain text FTP. I assume it might have something to do with IPtables, I'm kind of a noob, can you tell me what to change in Iptables ?
Thanks in advance !
|
|
|
05-16-2011, 12:53 PM
|
#2
|
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
|
Welcome to LQ!
Quote:
Originally Posted by User-N@me
I had no problem, with the plain text FTP. I assume it might have something to do with IPtables, I'm kind of a noob, can you tell me what to change in Iptables ?
|
A couple of things..... First, if plain text FTP works, it is not very likely that iptables is the problem. That would probably affect all FTP clients fairly equally. Second, if for some odd reason it was an iptables problem, we're not going to be able to make any suggestions without knowing what your existing rules set looks like, so you may want to post that.
Now that said, I have had some problems with FileZilla specifically not handling pasv mode very well with a vsFTPd server. You might check with another client (like gFTP) or when you set up a new site in Site Manager (under the File menu), make sure you force it to passive mode.
By the way, if you haven't seen it, this is an comparison of passive and active modes in FTP and what the firewalls have to take into account.
|
|
1 members found this post helpful.
|
05-16-2011, 02:26 PM
|
#3
|
Member
Registered: May 2011
Distribution: Cent0S, Fedora, Ubuntu, Debian
Posts: 32
Original Poster
Rep:
|
Thanks for the welcome.
I've just tried with BareFTP and the same thing happened : the authentication goes well but it can't read the directory listing.
The current IPtables rules :
Code:
# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- xxxxxxxxxx anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- xxxxxxxxxxx anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- xxxxxxxxxxx anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- xxxxxxxxxx anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- xxxxxxxxxxx anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- xxxxxxxxx anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- xxxxxxxxxxx anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- xxxxxxxxxxxx anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:ndmp
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination
Honestly I don't know much about Iptables ...
(the xxxxx are stuffed I censored of course )
|
|
|
05-16-2011, 06:07 PM
|
#4
|
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
|
Quote:
I've just tried with BareFTP and the same thing happened : the authentication goes well but it can't read the directory listing.
|
Yeah, that sounds like the firewall getting in the way. I'm guessing from what you've posted of your firewall, active ports are open and that is what allows the console FTP to work. Which leaves us trying to get passive mode to work.
If you're just using FTP in your LAN, you might look into using ip_conntrack_ftp in your firewall. However, if you're trying to access this through another device (like a router), you may have to lock down the passive ports so you can forward properly from your router. On my system, I've got this at the end of my vsftpd.conf:
Code:
pasv_min_port=50000
pasv_max_port=51000
And then on the firewall I've got this:
Code:
iptables -N FTPBAN
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j FTPBAN
iptables -A FTPBAN -m recent --set --name FTP
iptables -A FTPBAN -m recent --update --seconds 60 --hitcount 4 --name FTP -j DROP
iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW --dport 20 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW --dport 21 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW --dport 50000:51000 -j ACCEPT
The first bit simply shuts down the automated login attacks that you'll see if you expose your server to the internet. The second part then accepts the traffic on the ports FTP is listening to. On my router, I forward all those ports to the server.
|
|
1 members found this post helpful.
|
05-16-2011, 08:07 PM
|
#5
|
Member
Registered: May 2011
Distribution: Cent0S, Fedora, Ubuntu, Debian
Posts: 32
Original Poster
Rep:
|
Thanks hangdog ! now it works !
I modified vsftpd.conf according to your post and I only added this line to my IP tables :
-A INPUT -p tcp -m state -m tcp --dport 50000:51000 --state NEW -j ACCEPT
But now it seems that any IP can connect to those ports so I'm going to try to change that (it's not used in a LAN but for a server connected to the internet, the ftp is used to uploaded content for the website).
|
|
|
05-17-2011, 08:08 AM
|
#6
|
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
|
Quote:
But now it seems that any IP can connect to those ports so I'm going to try to change that (it's not used in a LAN but for a server connected to the internet, the ftp is used to uploaded content for the website).
|
That is pretty easy, just limit the source IP addresses with the -s flag. So something like:
iptables -A INPUT -p tcp --dport 21 -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
You can limit either to specific IP addresses or to a range.
If this server is directly connected to to the Internet, you might want to look into using ip_conntrack_ftp. It eliminates the hassle (not that it is much of a hassle) of locking down the port range. I personally don't use it since this approach seems to work for me, but I know I've seen a lot of the folk around here with higher volume FTP servers use it.
|
|
1 members found this post helpful.
|
All times are GMT -5. The time now is 12:34 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|