I installed vsftpd and configured it. When I try to connect to the ftp server using Transmit, it manages to connect but hangs on Listing "/"
Then, I get a message stating: Could not retrieve file listing for “/”. Control connection timed out.
Does it have anything to do with my iptables? My rules are as listed:
*filter
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
# Allows SSH connections
#
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
#
-A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
Best Answer
Your server iptables configuration is not (directly) the problem. Most likely, the server's FTP data connection is being blocked from reaching your client computer. By default, FTP uses the so-called "active" mode, whereby the server actually attempts to open the data connection back to the client. Consumer NAT routers will typically block this, leading to the connection timeout you noted.
Set your FTP client to use "passive" mode, and it should work. If it doesn't, check that the
nf_conntrack_ftp
kernel module (older kernels call itip_conntrack_ftp
) is loaded on the server:If the above command returns nothing, then the module is not loaded, and you need to load it, as follows:
Also, you'll want to ensure that the module gets loaded at boot time, by putting
nf_conntrack_ftp
into/etc/modules
.The
nf_conntrack_ftp
kernel module tracks the state of FTP connections on the server. This will allow the "passive" mode connection from your client computer to be accepted by the RELATED state rule on your INPUT chain.