ProFTPD - Failed to retrieve directory listing while using TLS
I have problem with my ProFTPD server.
When I try to connect to the server using TLS then I get timeout after MLSD command. It only happens whenI use TLS - without it it works perfectly.
I checked these logs:
proftpd.log - USER xxx: Login successful.
tls.log - TLSv1/SSLv3 connection accepted ... Protection set to Private
Where could be problem please? I can provide more informations, just ask for them in comments.
EDIT: Today I tried to set INPUT policy of iptables to ALLOW ... everything worked ... so issue is a firewall. How should I set iptables to work with FTPS ?
Here are my iptables settings:
*filter
:INPUT DROP [930:61159]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [256:26448]
-A INPUT ! -i eth0 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 80,443,20,21,25,143,993,110,995,1194 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
COMMIT
The problem is, that conntrack_ftp module, which on the fly allows ftp data connections to pass through firewall even if they were to be dropped because of rules, cannot analyze the encrypted stream for PASV
/PORT
commands. The same applies to not being able to use active mode from behind a firewall/nat with encrypted control connection.
So you need to set static ports for passive mode (or if client is not behind firewall/nat use an active mode) and add a firewall rule to accept incoming connections on these ports.
Ports for passive mode are set through PassivePorts directive.
Edit: I should add that the amount of PassivePorts does not just limit the amount of parallel connections, but also limits a number of connections (read directory listings and/or file transfers) per net.netfilter.nf_conntrack_tcp_timeout_time_wait
seconds.
So if you are transfering a lot of small files, open up a lot of ports!