vsftpd behind nat: failed to retrieve directory listing

[vytas]

Hello all,

After spending a lot of time playing with many configs and trying to figure out my problem I decided to register here. Hope for your help.

I will try to describe my problem in short but in detail at the same time.

I have CentOS. Want to have FTP server in it. Using vsftpd. I launched it. I can connect to the FTP from LAN. However I cannot connect from outside LAN. In Filezilla I get this error:

Failed to retrieve directory listing.


Configuration info:

vsftpd.conf:
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/xferlog
xferlog_std_format=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
max_clients=10
pasv_max_port=50100
pasv_min_port=50103
listen_port=2121
pasv_address=[my_public_ip]
vsftpd_log_file=/var/log/vsftpd
log_ftp_protocol=YES


FTP directory:
/var/www/html

# ls -l /var/www | grep html
drwxrwxrwx 3 root ftp-users 4096 Aug 31 15:40 html

# ls -l /var/www/html
-rwxrwxrwx 1 root ftp-users 19 Aug 31 15:26 index.php

Related group records:
ftp-users:<eks>:501:froot
froot:<eks>:503:

Related gshadow records:
ftp-users:<exclamation-mark>::froot
froot:<exclamation-mark>::

Related passwd record:
froot:<eks>:502:501::/var/www/html:/bin/bash


NAT

The server sits behind two routers.

Outer router portforwards
tcp 2121 -> 192.168.199.104:2121
tcp 50100 -> 192.168.199.104:50100
tcp 50101 -> 192.168.199.104:50101
tcp 50102 -> 192.168.199.104:50102
tcp 50103 -> 192.168.199.104:50103

Note: 192.168.199.104 is the IP address of my inner router.

Inner router portforwards
tcp 2121 -> 192.168.0.10:2121
tcp 50100 -> 192.168.0.10:50100
tcp 50101 -> 192.168.0.10:50101
tcp 50102 -> 192.168.0.10:50102
tcp 50103 -> 192.168.0.10:50103

Note: 192.168.0.10 is the IP of the CentOS server.


IPTABLES

Now I allow everything

# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination


I don't use ip_conntrack_ftp module (As I understand it's unnecessary if I use pasv_min_port and pasv_max_port). So the line in my /etc/sysconfig/iptables-config reads:

IPTABLES_MODULES="ip_conntrack_netbios_ns"


SELinux

I disabled it.

# sestatus
SELinux status: disabled

I can connect from inside LAN (of course only when I comment out pasv_address in vsftpd.conf). I cannot connect from outside LAN with error mentioned above.
Username: froot
port: 2121

One more thing that I don't like is that I cannot see vsftpd logs. They should be in /var/log/vsftpd.log (doesn't exist) or /var/log/xferlog (empty).

Could you please help me to solve this problem??

Vytas

p.s. I'm very new to Linux...

[zackwasa]

You can just disable passive connections and use active instead. Are you sure that the PC you are connecting from outside can connect to those passive ports? Maybe it's the client that is getting blocked by a router or firewall?

[vytas]

Thanks for your reply. That is why I want to set up passive FTP server to avoid client NAT problems. I'm not even sure how to set up client router in order to allow active ftp... (?)

[LinuxSecurity]

You will need to install the nf_ftp_conntrack ends and nf_ftp_nat modules using modprobe. That will probably allow proper FTP access through the firewall. Also, make sure port 20 is forwarded into the VS FTP host.

-- Eric

[vytas]

I think port 20 is for active ftp only. But I will try that.