imran_khan

Well-Known Member
Jun 10, 2013
154
1
16
cPanel Access Level
Root Administrator
Hello,

I’m trying to access ftp while getting below error. FTP user name and password are correct. Installed FTP server is pro-ftp. When I stop iptables, it works fine. I have already allowed the ports 20 and 21 in both side (inbound and outbound).

530 Login incorrect.
Login failed.

Please suggest me on this.

Thanks,
Imran Khan.
 

quietFinn

Well-Known Member
Feb 4, 2006
2,109
579
493
Finland
cPanel Access Level
Root Administrator
I would guess that in the password or username there is leading or trailing whitespace.
 

stdout

Well-Known Member
Apr 10, 2003
189
7
168
Nelspruit, Mpumalanga, South Africa
cPanel Access Level
Root Administrator
Have you tried a RAW telnet session to port 21? That would be your best bet as it rules out most other scenarios.
eg.

Code:
root@shasta [~]# telnet 0 21
Trying 0.0.0.0...
Connected to 0 (0.0.0.0).
Escape character is '^]'.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 12:30. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 15 minutes of inactivity.
user dyltest
331 User dyltest OK. Password required
pass t3mp4321
230 OK. Current restricted directory is /
quit
221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
221 Logout.
Connection closed by foreign host.
- - - Updated - - -

PS. Have you synchronized FTP Passwords? Try changing the password under WHM instead of /scripts/chpass
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,270
463
When I stop iptables, it works fine.
It sounds like this may be a result of your custom iptables firewall rules if logins work well after stopping the iptables service. Have you tried using a third-party firewall application such as CSF instead of custom iptables firewall rules?

Thank you.
 

imran_khan

Well-Known Member
Jun 10, 2013
154
1
16
cPanel Access Level
Root Administrator
Hello,

Thanks.

I have already synced FTP password from the WHM. Iptables rule is fine.
I have already allowed port FTP (21) from both side (Inbound and Outbound). When I stop iptables, FTP is working fine. Now I am getting below error.

An error occurred opening that folder on that FTP Server. Make sure you have permission to access that folder.

Details:
The operation timed out.

Thanks,
Imran Khan.
 

imran_khan

Well-Known Member
Jun 10, 2013
154
1
16
cPanel Access Level
Root Administrator
Hello,

I have made the blow changes.

1). Installed ip_conntrack and ip_conntrack_ftp modules.
# modprobe ip_conntrack
# modprobe ip_conntrack_ftp

2). Added the below line in /etc/sysconfig/iptables-config file and restarted the server but getting same error.
IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp ip_conntrack"

Thanks,
Imran Khan.
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,270
463
Thank you guys,

I have made some changes in iptables firewall and resolved the issue.
Do you mind sharing the specific changes you made which resolved the issue for you?

Thank you.
 

imran_khan

Well-Known Member
Jun 10, 2013
154
1
16
cPanel Access Level
Root Administrator
Hello Michael,

I have added below rules in iptables and I am able to access FTP.

iptables -A OUTPUT -s server_ip -d source_ip -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -s server_ip -d source_ip -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -s server_ip -d source_ip -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -s source_ip -d server_ip -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -s source_ip -d server_ip -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s source_ip -d server_ip -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT

Thanks,
Imran Khan.