Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have set up an FTPS on a CentOS server using vsFtpd 2.3.4 but there seems to be a problem when I am trying to connect using FileZilla, I end up with this (I tried active and passive) :
Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing
I had no problem, with the plain text FTP. I assume it might have something to do with IPtables, I'm kind of a noob, can you tell me what to change in Iptables ?
I had no problem, with the plain text FTP. I assume it might have something to do with IPtables, I'm kind of a noob, can you tell me what to change in Iptables ?
A couple of things..... First, if plain text FTP works, it is not very likely that iptables is the problem. That would probably affect all FTP clients fairly equally. Second, if for some odd reason it was an iptables problem, we're not going to be able to make any suggestions without knowing what your existing rules set looks like, so you may want to post that.
Now that said, I have had some problems with FileZilla specifically not handling pasv mode very well with a vsFTPd server. You might check with another client (like gFTP) or when you set up a new site in Site Manager (under the File menu), make sure you force it to passive mode.
By the way, if you haven't seen it, this is an comparison of passive and active modes in FTP and what the firewalls have to take into account.
I've just tried with BareFTP and the same thing happened : the authentication goes well but it can't read the directory listing.
Yeah, that sounds like the firewall getting in the way. I'm guessing from what you've posted of your firewall, active ports are open and that is what allows the console FTP to work. Which leaves us trying to get passive mode to work.
If you're just using FTP in your LAN, you might look into using ip_conntrack_ftp in your firewall. However, if you're trying to access this through another device (like a router), you may have to lock down the passive ports so you can forward properly from your router. On my system, I've got this at the end of my vsftpd.conf:
Code:
pasv_min_port=50000
pasv_max_port=51000
And then on the firewall I've got this:
Code:
iptables -N FTPBAN
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j FTPBAN
iptables -A FTPBAN -m recent --set --name FTP
iptables -A FTPBAN -m recent --update --seconds 60 --hitcount 4 --name FTP -j DROP
iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW --dport 20 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW --dport 21 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW --dport 50000:51000 -j ACCEPT
The first bit simply shuts down the automated login attacks that you'll see if you expose your server to the internet. The second part then accepts the traffic on the ports FTP is listening to. On my router, I forward all those ports to the server.
I modified vsftpd.conf according to your post and I only added this line to my IP tables :
-A INPUT -p tcp -m state -m tcp --dport 50000:51000 --state NEW -j ACCEPT
But now it seems that any IP can connect to those ports so I'm going to try to change that (it's not used in a LAN but for a server connected to the internet, the ftp is used to uploaded content for the website).
But now it seems that any IP can connect to those ports so I'm going to try to change that (it's not used in a LAN but for a server connected to the internet, the ftp is used to uploaded content for the website).
That is pretty easy, just limit the source IP addresses with the -s flag. So something like:
iptables -A INPUT -p tcp --dport 21 -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
You can limit either to specific IP addresses or to a range.
If this server is directly connected to to the Internet, you might want to look into using ip_conntrack_ftp. It eliminates the hassle (not that it is much of a hassle) of locking down the port range. I personally don't use it since this approach seems to work for me, but I know I've seen a lot of the folk around here with higher volume FTP servers use it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Problem with vsFtpd to get my FTPS working.
