The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

FTP Passive Mode not working

Discussion in 'General Discussion' started by hicks8, Jan 2, 2008.

  1. hicks8

    hicks8 Member

    Joined:
    Aug 30, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    For some reason passive mode isn't working correctly on my server. It keeps timing out. Active mode works just fine, its just passive thats having the issue.

    I have csf installed and have MONOLITHIC_KERNEL set to 1 with the passive ftp ports set in TCP_IN "30000:50000"

    And have uncomented the line

    #PassivePortRange 35000 50000

    But I'm still having no luck fixing this issue. Any ideas?
     
  2. bencheung

    bencheung Member

    Joined:
    Aug 28, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Passive FTP setting

    I have got the same problem. Even I have try this:

    iptables -A INPUT -p tcp --dport 30000:50000 -j ACCEPT

    Does anyone can reply me??
     
  3. bencheung

    bencheung Member

    Joined:
    Aug 28, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    csf and iptables

    I am using the csf 3.13 and added the ports 30000:50000 into the firewall configration. However, each time I restart the firewall (in Cpanel interface) or reboot, the passive mode cannot be done.

    On the other hand, I have manually added the ports to iptables, when I restart the iptables service, the passive FTP is work! When I restart the csf, it will be failed again. Does anyone got any ideas? I have checked many and many times in the csf firewall configration. Please give me a hand. Many thanks.
     
  4. hicks8

    hicks8 Member

    Joined:
    Aug 30, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Still no luck with this problem.
     
  5. Zepplin

    Zepplin Well-Known Member

    Joined:
    Oct 23, 2006
    Messages:
    93
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Blue Mountains, Australia
    cPanel Access Level:
    Root Administrator
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If you've done that you haven't opened the same passive port range hole in both csf and pure-ftpd. You need to follow all the steps under monolothic_kernel as they're mentioned in csf.conf for it to work on a VPS. This all stems from the fact that Virtuozzo have a broken connection tracking module for ftp in their VPS kernels. If the full steps in csf.conf don't work, then there's likely a configuration issue with the VPS as most VPS providers have no problems at all configuring the VPS clients for the correct iptables environment. We do all our csf testing on a ServInt VPS and it works without issue. However, since it isn't a real server there's always potential pitfalls. The Xen virtual server appear to work without any problems out of the box.
     
    #6 chirpy, Mar 28, 2008
    Last edited: Mar 28, 2008
  7. nshreders

    nshreders Member
    PartnerNOC

    Joined:
    May 9, 2007
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    chicago, IL
    Adding to this older thread in case someone still has issues. In VMWare we recently increased the amount of vcpu from 1 to 2 and passive FTP stopped working with CSF.

    I made the changes in CSF and pure-ftpd.conf as documented here and all over but with no avail. Not all of my guests were updated in the maintenance window so I did an 'lsmod | grep conn' and noticed the updated guests in VMware had 'ip_conntrack' only, and the guests with 1 vcpu had 'ip_conntrack' and 'ip_conntrack_ftp' but the kernel versions were the same on both guests.

    Definitely an iptables thing. The fix was to 'modprobe ip_conntrack_ftp' and add ip_conntrack_ftp into /etc/sysconfig/iptables-config so upon bootup the module will load again.

    Please note that ip6tables-config exists as well for those of you using IPV6.
     
  8. cwalke32477

    cwalke32477 Well-Known Member

    Joined:
    Mar 2, 2010
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Atlanta, Georgia
    cPanel Access Level:
    Root Administrator
    Sorry to bump such an old and decrepid thread, but it was the only I could find that pinpointed my issue.
    Everyone else was just the typical open the passive ports in the .conf etc. etc.

    I ran the modprobe ip_conntrack_ftp and it is working :)
    However, where do I add it to the iptables-config so it will work on boot?
     
  9. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I would imagine that ip_conntrack_ftp is one of the modules, so probably this would be the line where you would add the module:

    Code:
    IPTABLES_MODULES="ip_conntrack_netbios_ns"
    You would want to have spaces separating it, so it would probably look like the following:

    Code:
    IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp"
    Or, whatever else is already in your modules list for it at /etc/sysconfig/iptables-config and I would highly suggest doing this only after you have physical access to the machine in case anything occurs where it won't boot up after making the change.
     
Loading...

Share This Page