Vsftp: connections from behind a firewall hang

Q I have Red Hat Enterprise Linux ES 4 running on my server. It uses Vsftp as an FTP service. FTP seems to work OK, but I have increasingly noticed that when I attempt to make a connection from a remote location that uses ADSL or I am behind a firewall, the connection occurs as I get prompted for a username and password, but I am unable to list directory content or upload files. There is no obvious error - it just hangs, whether I use an FTP client or a command line. I am using Iptables for firewall protection, which I have only recently enabled, and I think this might be related, because when I turn Iptables off the FTP works fine.

A The problem here is with regards to the Iptables modules running on the server. You will need to enable two 'nat helper' modules for the Iptables. They are called ip_nat_ftp and ip_conntrack_ftp. Run them by typing

modprobe ip_nat_ftp
modprobe ip_conntrack_ftp

Now lsmod will reveal:

Module             Size Used by
ip_nat_ftp         4913       0
iptable_nat        23037 1
ip_nat_ftp
ip_conntrack_ftp 72689 1
ip_nat_ftp
ipt_LOG            6465       1
ipt_state          1857       1
ip_conntrack       40565 4
ip_nat_ftp,iptable_nat, ip_
conntrack_ftp,ipt_state
iptable_filter     2753       1
ip_tables          16705 4
iptable_nat,ipt_LOG, ipt_state,
iptable_filter

Please note that running this modprobe will not keep these modules loaded, because when Iptables is restarted for any reason, it will not load the modules again, and you would need to run the modprobe again. To bypass this, you can edit the /etc/sysconfig/iptables-config and add the following entry:

IPTABLES_MODULES="ip_nat_ftp ip_conntrack_ftp"

Now when you restart Iptables you will see the following:

'Loading additional iptables
modules: ip_nat_ftp ip_conntrac[ OK ]'.

This should resolve any FTP issues through the firewall.

Follow us on Identi.ca or Twitter

Username:   Password:
Create Account | About TuxRadar