Vsftp: connections from behind a firewall hang
Q I have Red Hat Enterprise Linux ES 4 running on my server. It uses Vsftp as an FTP service. FTP seems to work OK, but I have increasingly noticed that when I attempt to make a connection from a remote location that uses ADSL or I am behind a firewall, the connection occurs as I get prompted for a username and password, but I am unable to list directory content or upload files. There is no obvious error - it just hangs, whether I use an FTP client or a command line. I am using Iptables for firewall protection, which I have only recently enabled, and I think this might be related, because when I turn Iptables off the FTP works fine.
A The problem here is with regards to the Iptables modules running on the server. You will need to enable two 'nat helper' modules for the Iptables. They are called ip_nat_ftp and ip_conntrack_ftp. Run them by typing
Now lsmod will reveal:
Module Size Used by
ip_nat_ftp 4913 0
iptable_nat 23037 1
ip_conntrack_ftp 72689 1
ipt_LOG 6465 1
ipt_state 1857 1
ip_conntrack 40565 4
iptable_filter 2753 1
ip_tables 16705 4
Please note that running this modprobe will not keep these modules loaded, because when Iptables is restarted for any reason, it will not load the modules again, and you would need to run the modprobe again. To bypass this, you can edit the /etc/sysconfig/iptables-config and add the following entry:
Now when you restart Iptables you will see the following:
'Loading additional iptables
modules: ip_nat_ftp ip_conntrac[ OK ]'.
This should resolve any FTP issues through the firewall.
Follow us on Identi.ca or Twitter