0

I have Debian 8, Virtualmin, Proftpd I set up an ftp account, and I can login and download from within the same server.

However from another IP, I cannot connect in non secure ftp on port 21 (I can with sftp (secured) on port 22)

When making this : nmap -p 21 ip.num.ber I used to get this result PORT STATE SERVICE 21/tcp filtered ftp

So I made a change in Virtualmin in FirewallD, added port 21 applied configuration and now I get PORT STATE SERVICE 21/tcp open ftp

I checked the user in not in blacklist, An there is nothing related to PAM related stuffs.

However I still cannot log in using Filezilla. I think it is related to the firewall, I read that something need to be done in routing the packets, I am new to networking. thank you for your help

Yvon Huynh
  • 199
  • 1
  • 8
  • Are you prompted for credentials when you try to connect to port 21? – RobbieCrash Nov 17 '17 at 18:18
  • Yes i am prompted User/pass. Today I could login ftp through another host in command line (though i am not sure thourgh wich port). But still cannot login using Filezilla – Yvon Huynh Nov 18 '17 at 11:52

1 Answers1

0

You probably also need to allow the ftp-data port (TCP port 20), or load the nf_conntrack_ftp module and allow “related” traffic.

user2233709
  • 1,364
  • 1
  • 9
  • 15
  • On old server Centos 6.7: port 20 is closed, I see same list of modules loaded than the new server, with the command cat /proc/net/ip_tables_matches. On old server ftp on port 21 work without problem – Yvon Huynh Nov 19 '17 at 09:49
  • How much do you know about FTP? Do you know the difference between active and passive mode? – user2233709 Nov 19 '17 at 10:16
  • I know few,i've used them both,know that browser user passive,I mentionned i could ftp from a remote above, i confirm it is passive mode – Yvon Huynh Nov 19 '17 at 11:26
  • Still not sure how much you know. Anyway, you have to understand that, whatever mode you use, FTP uses 2 TCP connections. For the first one, the client connects to the server on port 21. This connection is used only for commands. If you are prompted for credentials, it should mean this connection works fine. The second connection is used to transfer data (including directory listing). Depending on the mode, either the client connects to the server (on a different port than 21), or the server connects back to the client. Your problem must be with that data connection. – user2233709 Nov 19 '17 at 11:52
  • you are right, authentication is ok, it's the MLSD command that fails.before MLSD, I can see the PASV command, meaning entering passive mode(this what ever active or passive, Filezilla enters passive mode. So i should do modprobe nf_conntrack_ftp? then how to allow "related" traffic? – Yvon Huynh Nov 19 '17 at 13:22
  • Based on your advice and this https://serverfault.com/questions/262318/proftp-wont-return-directory-listing, i uncommented the proftpd.conf line related to passive port, opened the range in the FirewallD and now it works ! Thank you and have a nice day.(I didn't load the module) – Yvon Huynh Nov 19 '17 at 13:32
  • I’d really suggest you use FTP connection tracking rather than open a huge port range, but that’s your server after all. – user2233709 Nov 19 '17 at 13:59
  • will do if i have more time, for now i am quite in an urgency. – Yvon Huynh Nov 19 '17 at 14:25