Find the answer to your Linux question:
Results 1 to 5 of 5
Hello all, After spending a lot of time playing with many configs and trying to figure out my problem I decided to register here. Hope for your help. I will ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2011
    Location
    Lithuania
    Posts
    17

    vsftpd behind nat: failed to retrieve directory listing


    Hello all,

    After spending a lot of time playing with many configs and trying to figure out my problem I decided to register here. Hope for your help.

    I will try to describe my problem in short but in detail at the same time.

    I have CentOS. Want to have FTP server in it. Using vsftpd. I launched it. I can connect to the FTP from LAN. However I cannot connect from outside LAN. In Filezilla I get this error:

    Failed to retrieve directory listing.


    Configuration info:

    vsftpd.conf:
    anonymous_enable=NO
    local_enable=YES
    write_enable=YES
    local_umask=022
    dirmessage_enable=YES
    xferlog_enable=YES
    connect_from_port_20=YES
    xferlog_file=/var/log/xferlog
    xferlog_std_format=YES
    pam_service_name=vsftpd
    userlist_enable=YES
    tcp_wrappers=YES
    max_clients=10
    pasv_max_port=50100
    pasv_min_port=50103
    listen_port=2121
    pasv_address=[my_public_ip]
    vsftpd_log_file=/var/log/vsftpd
    log_ftp_protocol=YES


    FTP directory:
    /var/www/html

    # ls -l /var/www | grep html
    drwxrwxrwx 3 root ftp-users 4096 Aug 31 15:40 html

    # ls -l /var/www/html
    -rwxrwxrwx 1 root ftp-users 19 Aug 31 15:26 index.php

    Related group records:
    ftp-users:<eks>:501:froot
    froot:<eks>:503:

    Related gshadow records:
    ftp-users:<exclamation-mark>::froot
    froot:<exclamation-mark>::

    Related passwd record:
    froot:<eks>:502:501::/var/www/html:/bin/bash


    NAT

    The server sits behind two routers.

    Outer router portforwards
    tcp 2121 -> 192.168.199.104:2121
    tcp 50100 -> 192.168.199.104:50100
    tcp 50101 -> 192.168.199.104:50101
    tcp 50102 -> 192.168.199.104:50102
    tcp 50103 -> 192.168.199.104:50103

    Note: 192.168.199.104 is the IP address of my inner router.

    Inner router portforwards
    tcp 2121 -> 192.168.0.10:2121
    tcp 50100 -> 192.168.0.10:50100
    tcp 50101 -> 192.168.0.10:50101
    tcp 50102 -> 192.168.0.10:50102
    tcp 50103 -> 192.168.0.10:50103

    Note: 192.168.0.10 is the IP of the CentOS server.


    IPTABLES

    Now I allow everything

    # iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain RH-Firewall-1-INPUT (0 references)
    target prot opt source destination


    I don't use ip_conntrack_ftp module (As I understand it's unnecessary if I use pasv_min_port and pasv_max_port). So the line in my /etc/sysconfig/iptables-config reads:

    IPTABLES_MODULES="ip_conntrack_netbios_ns"


    SELinux

    I disabled it.

    # sestatus
    SELinux status: disabled

    I can connect from inside LAN (of course only when I comment out pasv_address in vsftpd.conf). I cannot connect from outside LAN with error mentioned above.
    Username: froot
    port: 2121

    One more thing that I don't like is that I cannot see vsftpd logs. They should be in /var/log/vsftpd.log (doesn't exist) or /var/log/xferlog (empty).

    Could you please help me to solve this problem??

    Vytas

    p.s. I'm very new to Linux...

  2. #2
    Just Joined!
    Join Date
    Sep 2011
    Posts
    52
    You can just disable passive connections and use active instead. Are you sure that the PC you are connecting from outside can connect to those passive ports? Maybe it's the client that is getting blocked by a router or firewall?

  3. #3
    Just Joined!
    Join Date
    Sep 2011
    Location
    Lithuania
    Posts
    17
    Thanks for your reply. That is why I want to set up passive FTP server to avoid client NAT problems. I'm not even sure how to set up client router in order to allow active ftp... (?)

  4. #4
    Just Joined!
    Join Date
    Sep 2011
    Posts
    19
    You will need to install the nf_ftp_conntrack ends and nf_ftp_nat modules using modprobe. That will probably allow proper FTP access through the firewall. Also, make sure port 20 is forwarded into the VS FTP host.

    -- Eric

  5. #5
    Just Joined!
    Join Date
    Sep 2011
    Location
    Lithuania
    Posts
    17
    I think port 20 is for active ftp only. But I will try that.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •