Setting up vsftpd, hangs on list command

Question

I installed vsftpd and configured it. When I try to connect to the ftp server using Transmit, it manages to connect but hangs on Listing "/"

Then, I get a message stating: Could not retrieve file listing for “/”. Control connection timed out.

Does it have anything to do with my iptables? My rules are as listed:

*filter


#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT


#  Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


#  Allows all outbound traffic
#  You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT


# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT


#  Allows SSH connections
#
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
#
-A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT


# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT


# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7


# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

Answer 1

Your server iptables configuration is not (directly) the problem. Most likely, the server's FTP data connection is being blocked from reaching your client computer. By default, FTP uses the so-called "active" mode, whereby the server actually attempts to open the data connection back to the client. Consumer NAT routers will typically block this, leading to the connection timeout you noted.

Set your FTP client to use "passive" mode, and it should work. If it doesn't, check that the nf_conntrack_ftp kernel module (older kernels call it ip_conntrack_ftp) is loaded on the server:

sudo lsmod | grep conntrack_ftp

If the above command returns nothing, then the module is not loaded, and you need to load it, as follows:

sudo modprobe nf_conntrack_ftp

Also, you'll want to ensure that the module gets loaded at boot time, by putting nf_conntrack_ftp into /etc/modules.

The nf_conntrack_ftp kernel module tracks the state of FTP connections on the server. This will allow the "passive" mode connection from your client computer to be accepted by the RELATED state rule on your INPUT chain.

Answer 2

First, make sure vsftpd is locked down to unique ports for both active and passive mode:

ftp_data_port=20
listen_port=21
pasv_min_port=64000
pasv_max_port=64321

Now alter your iptables to make sure that those ports can traverse the rules and you should be set. By default the passive ports are random; by setting the above and fixing your iptables you solve the "double firewall problem" so that clients can work from anywhere.

Answer 3

I don't do iptables, but it's clear as day from the ruleset you're showing that you need to learn a little more about how FTP works.

FTP is an "odd" service, in that it has a control port and a data port. It is not enough to open just port 21, that is only the control port. Data ports depend on if you're using active or passive ftp transfer.

I don't know how iptables works, but you need to enhance the ruleset so that it can also accept traffic on port 20 for ftp-data (if you want to use standard ftp port transfers)

Otherwise, you need to configure the packet filter to work with passive data transfer, and tell your client to use that form of communication/data transfer as well.

You'll find this site useful: http://www.mdjnet.dk/ftp.html

Answer 4

Without having the rule on the output for ESTABLISHED,RELATED it won't allow the port 20 ftp-data to return you the data.

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT