This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.

proftp and passive mode

6 posts / 0 new

Topic locked

Last post

#1 Fri, 01/08/2010 - 07:10

ChrisBlackwell

proftp and passive mode

I've had to move my VM install to a new box as the old one is failing. and we're having trouble getting proftpd to accept passive connections, in fact some clients (fireftp) wont connect in active mode either, but that could just be the clients. Windows command line ftp and filezilla will connect in active mode fine though.

After a successful login i get the following in FileZilla console

Status: Connected Status: Retrieving directory listing... Command: PWD Response: 257 "/" is current directory. Command: TYPE I Response: 200 Type set to I Command: PASV Response: 227 Entering Passive Mode (88,208,218,156,229,11). Command: LIST Error: Connection timed out Error: Failed to retrieve directory listing

and the corresponding login from proftpd's log looks like

::ffff:94.171.227.76 UNKNOWN nobody [08/Jan/2010:13:10:27 +0000] "USER btg" 331 - ::ffff:94.171.227.76 UNKNOWN btg[08/Jan/2010:13:10:30 +0000] "PASS (hidden)" 230 - ::ffff:94.171.227.76 UNKNOWN btg [08/Jan/2010:13:10:30 +0000] "PWD" 257 - ::ffff:94.171.227.76 UNKNOWN btg [08/Jan/2010:13:10:30 +0000] "TYPE I" 200 - ::ffff:94.171.227.76 UNKNOWN btg [08/Jan/2010:13:10:30 +0000] "PASV" 227 -

I read Joe's last post to this thread in which he mentions either allowing all high ports, or RELATED connections through the firewall and I think thats what i've got in my config

[root@web1 ~]# iptables --list Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ... ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data state NEW ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW ... DROP all -- anywhere anywhere

We're running Centos 5.4 and ProFTPD 1.3.0a.
Does anyone have any idea what the issue could be ?

Cheers, Chris

#2 Fri, 01/08/2010 - 09:01

andreychek

Howdy,

Sounds like you may need an FTP tracking module to help iptables out... try running:

modprobe ip_conntrack_ftp

And then try FTP again and see if that helps.

-Eric

#3 Fri, 01/08/2010 - 09:15 (Reply to #2)

ChrisBlackwell

thanks, that's got it working. now, what should i do to make sure that is loaded after a reboot ?

EDIT..

i've added it to /etc/sysconfig/iptables-config

IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp"

everything seems to work fine after i do a service iptables restart so hopefully thats the right thing.

Cheers, Chris

#4 Fri, 01/08/2010 - 09:19 (Reply to #3)

andreychek

Oh that's wonderful, I was just starting to look into how CentOS handles loading modules such as that.

I'm glad it works, thanks for the update!

-Eric

#5 Thu, 03/18/2010 - 16:11

Junaid

Hello, just registered to say thanks for providing the information on this fix and the update, by saving the module in the iptables-config file it resolved the issues with ftp clients being unable to connect to our development server in passive mode. Thanks.

#6 Thu, 04/08/2010 - 01:23

lvsys

To make this change permanent on Ubuntu, add the "ip_conntrack_ftp" module to the list of modules in /etc/modules so that it's available on reboot too.

I just had this problem on my server, not sure what caused it to fail since it worked so well for a few days.

Topic locked