Setting up vsftpd, hangs on list command

ftp vsftpd ubuntu-10.04

Your server iptables configuration is not (directly) the problem. Most likely, the server's FTP data connection is being blocked from reaching your client computer. By default, FTP uses the so-called "active" mode, whereby the server actually attempts to open the data connection back to the client. Consumer NAT routers will typically block this, leading to the connection timeout you noted.

Set your FTP client to use "passive" mode, and it should work. If it doesn't, check that the nf_conntrack_ftp kernel module (older kernels call it ip_conntrack_ftp) is loaded on the server:

sudo lsmod | grep conntrack_ftp

If the above command returns nothing, then the module is not loaded, and you need to load it, as follows:

sudo modprobe nf_conntrack_ftp

Also, you'll want to ensure that the module gets loaded at boot time, by putting nf_conntrack_ftp into /etc/modules.

The nf_conntrack_ftp kernel module tracks the state of FTP connections on the server. This will allow the "passive" mode connection from your client computer to be accepted by the RELATED state rule on your INPUT chain.


First, make sure vsftpd is locked down to unique ports for both active and passive mode:

ftp_data_port=20
listen_port=21
pasv_min_port=64000
pasv_max_port=64321

Now alter your iptables to make sure that those ports can traverse the rules and you should be set. By default the passive ports are random; by setting the above and fixing your iptables you solve the "double firewall problem" so that clients can work from anywhere.


I don't do iptables, but it's clear as day from the ruleset you're showing that you need to learn a little more about how FTP works.

FTP is an "odd" service, in that it has a control port and a data port. It is not enough to open just port 21, that is only the control port. Data ports depend on if you're using active or passive ftp transfer.

I don't know how iptables works, but you need to enhance the ruleset so that it can also accept traffic on port 20 for ftp-data (if you want to use standard ftp port transfers)

Otherwise, you need to configure the packet filter to work with passive data transfer, and tell your client to use that form of communication/data transfer as well.

You'll find this site useful: http://www.mdjnet.dk/ftp.html

Related

Cisco IOS QoS prioritize SSH but not SCP
Why does the Task Manager does not show any activity from Hyper-V?
Chef bootstrap giving 401 unauthorized
How can I make nginx always return a HTTP 503?
Interpreting cryptic kernel "page allocation failure" messages
running automated fsck on remote server
Purchasing hard drives with non-sequential serial numbers
How do "correctly" sync millions of files with rsync and inotify?
How to solo Pyrocaustic Pete the Invincible?
Is there a way to move YouTube app from TV and Video on PS4?
Give player item(s) when player hits X amount of deaths
How can the game be loaded on a different monitor?