Ftp – Setting up vsftpd, hangs on list command

ftpubuntu-10.04vsftpd

I installed vsftpd and configured it. When I try to connect to the ftp server using Transmit, it manages to connect but hangs on Listing "/"

Then, I get a message stating: Could not retrieve file listing for “/”. Control connection timed out.

Does it have anything to do with my iptables? My rules are as listed:

*filter


#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT


#  Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


#  Allows all outbound traffic
#  You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT


# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT


#  Allows SSH connections
#
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
#
-A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT


# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT


# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7


# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

Best Answer

Your server iptables configuration is not (directly) the problem. Most likely, the server's FTP data connection is being blocked from reaching your client computer. By default, FTP uses the so-called "active" mode, whereby the server actually attempts to open the data connection back to the client. Consumer NAT routers will typically block this, leading to the connection timeout you noted.

Set your FTP client to use "passive" mode, and it should work. If it doesn't, check that the nf_conntrack_ftp kernel module (older kernels call it ip_conntrack_ftp) is loaded on the server:

sudo lsmod | grep conntrack_ftp

If the above command returns nothing, then the module is not loaded, and you need to load it, as follows:

sudo modprobe nf_conntrack_ftp

Also, you'll want to ensure that the module gets loaded at boot time, by putting nf_conntrack_ftp into /etc/modules.

The nf_conntrack_ftp kernel module tracks the state of FTP connections on the server. This will allow the "passive" mode connection from your client computer to be accepted by the RELATED state rule on your INPUT chain.

Related Solutions

Ftp – vsftpd not responding to LIST

Agree with Luke404. Check that your vsftpd.conf has the following entries configured and your firewall allows the pasv_min & pasv_max port ranges (10000 - 100010 is just an example). Remember to restart the service if changes are made to the conf file.


    pasv_enable=YES
    pasv_min_port=10000
    pasv_max_port=10010
    pasv_address=[Public IP address of your server]

Iptables – ftp tls firewalled :(

In Passive mode, when the client wants to get a file from the server or send a file to the server, the FTP server will pick a random port and send that port to the FTP client.

When you're not using encryption, a properly configured firewall (using the ip_conntrack_ftp helper kernel module, which may be what you're missing for non-TLS connections) would "listen in" on the connection and mark these connections as RELATED. With encryption the firewall can't listen in.

The quick and dirty solution to this is to configure the FTP server to choose a small range of ports for passive connections, and then allow access to all of these ports. For instance, in vsftpd:

pasv_min_port=12000
pasv_max_port=12049

Then in iptables:

iptables -A INPUT -p tcp -m tcp -i eth0 --dport 12000:12049 -j ACCEPT

Allowing anyone to access these ports opens one possible exploit: if someone were to be scanning them over and over they might get lucky and be able to "beat" the real user to the data port and grab the file. Ideally your FTP server would check and make sure the connection is coming from the same place as the original connection, but thanks to things like "FXP" (transferring files from one server to another server by convincing one to make an active connection to the other's passive data port) some servers don't check the connection by default. You should check your configuration file and see if there is an option to disable FXP, and use it. (vsftpd calls this "promiscuous" and is disabled by default.)

Best Answer

Related Solutions

Ftp – vsftpd not responding to LIST

Iptables – ftp tls firewalled :(

Related Topic