Enabling Active FTP connections on CentOS
5.5
If you experience problems with making your
CentoOS 5.5 work
with active ftp connections , e.g. every connection you make to
the FTP needs to be in a passive mode or the file transfer or FTP
directory listing doesn't initialize at all, here is how you can
solve it:
Edit the file
/etc/sysconfig/iptables-config and change
their the line:
IPTABLES_MODULES="ip_conntrack_netbios_ns"
to look like:
IPTABLES_MODULES="ip_conntrack_netbios_ns ip_nat_ftp
ip_conntrack_ftp"
Adding the two modules
ip_nat_ftp and
ip_conntrack_ftp will instruct the CentOS's
/etc/init.d/iptables firewall rules to initialize the kernel
modules
ip_nat_ftp and
ip_conntrack_ftp
This modules solves problems with Active FTP not working caused by
a host running behind a firewall router or behind a NAT.
This will hopefully resolve your issues with
Active FTP not
working on CentOS.
If loading this two kernel modules doesn't solve the issues and
you're running vsftpd FTP server, then it's likely that the
Active FTP non-working problems are caused by your VSFTPD
configuration.
If that's the case something that might help is setting in
/etc/vsftpd/vsftpd.conf the following variables:
pasv_enable=NO
pasv_promiscuous=YES
Of course as a final step you will need to restart the iptables
firewall:
[root@centos: ~]# /etc/init.d/iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_ns
ip_nat_ftp ip_conntrack_ftp [ OK ]
As you can see the two modules
ip_nat_ftp and
ip_conntrack_ftp are now loaded as additional modules.
Moreover if you have also modified your vsftpd.conf you need to
restart the vsftpd via the init script:
[root@centos: ~]# /etc/init.d/vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
If adding this two modules and adding this two extra variables in
vsftpd configuration doesn't help with making your FTP server to
work in
Active FTP mode , it's very likely that the whole
troubles comes from the firewall configuration, so an edit of
/etc/sysconfig/iptables would be necessary;
To find out if the firewall is the source of the FTP not able to
enter active mode, stop your firewall for a while by issuing the
cmd:
[root@centos:~]# /etc/init.d/iptables stop
If iptables is the source of the
passive ftp troubles, an
iptables rules similar to this should make your firewall allow
active ftp connections;
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT
[0:0] -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/255.0.0.0 -i !
lo -j REJECT --reject-with icmp-port-unreachable -A INPUT -m state
--state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp
--dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp
--dport 44444 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp
--dport 21 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j
ACCEPT -A INPUT -j REJECT --reject-with icmp-port-unreachable -A
FORWARD -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -j
ACCEPT -A OUTPUT -p tcp -m tcp --dport 21 -m state --state
ESTABLISHED,RELATED -j ACCEPT