FTP Passive Mode not working

hicks8

Member
Aug 30, 2007
12
0
51
For some reason passive mode isn't working correctly on my server. It keeps timing out. Active mode works just fine, its just passive thats having the issue.

I have csf installed and have MONOLITHIC_KERNEL set to 1 with the passive ftp ports set in TCP_IN "30000:50000"

And have uncomented the line

#PassivePortRange 35000 50000

But I'm still having no luck fixing this issue. Any ideas?
 

bencheung

Member
Aug 28, 2007
11
0
51
Passive FTP setting

I have got the same problem. Even I have try this:

iptables -A INPUT -p tcp --dport 30000:50000 -j ACCEPT

Does anyone can reply me??
 

bencheung

Member
Aug 28, 2007
11
0
51
csf and iptables

I am using the csf 3.13 and added the ports 30000:50000 into the firewall configration. However, each time I restart the firewall (in Cpanel interface) or reboot, the passive mode cannot be done.

On the other hand, I have manually added the ports to iptables, when I restart the iptables service, the passive FTP is work! When I restart the csf, it will be failed again. Does anyone got any ideas? I have checked many and many times in the csf firewall configration. Please give me a hand. Many thanks.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
31
473
Go on, have a guess
For some reason passive mode isn't working correctly on my server. It keeps timing out. Active mode works just fine, its just passive thats having the issue.

I have csf installed and have MONOLITHIC_KERNEL set to 1 with the passive ftp ports set in TCP_IN "30000:50000"

And have uncomented the line

#PassivePortRange 35000 50000

But I'm still having no luck fixing this issue. Any ideas?
If you've done that you haven't opened the same passive port range hole in both csf and pure-ftpd. You need to follow all the steps under monolothic_kernel as they're mentioned in csf.conf for it to work on a VPS. This all stems from the fact that Virtuozzo have a broken connection tracking module for ftp in their VPS kernels. If the full steps in csf.conf don't work, then there's likely a configuration issue with the VPS as most VPS providers have no problems at all configuring the VPS clients for the correct iptables environment. We do all our csf testing on a ServInt VPS and it works without issue. However, since it isn't a real server there's always potential pitfalls. The Xen virtual server appear to work without any problems out of the box.
 
Last edited:

nshreders

Member
PartnerNOC
May 9, 2007
23
0
151
chicago, IL
Adding to this older thread in case someone still has issues. In VMWare we recently increased the amount of vcpu from 1 to 2 and passive FTP stopped working with CSF.

I made the changes in CSF and pure-ftpd.conf as documented here and all over but with no avail. Not all of my guests were updated in the maintenance window so I did an 'lsmod | grep conn' and noticed the updated guests in VMware had 'ip_conntrack' only, and the guests with 1 vcpu had 'ip_conntrack' and 'ip_conntrack_ftp' but the kernel versions were the same on both guests.

Definitely an iptables thing. The fix was to 'modprobe ip_conntrack_ftp' and add ip_conntrack_ftp into /etc/sysconfig/iptables-config so upon bootup the module will load again.

Please note that ip6tables-config exists as well for those of you using IPV6.
 

cwalke32477

Well-Known Member
Mar 2, 2010
94
0
56
Atlanta, Georgia
cPanel Access Level
Root Administrator
Sorry to bump such an old and decrepid thread, but it was the only I could find that pinpointed my issue.
Everyone else was just the typical open the passive ports in the .conf etc. etc.

Definitely an iptables thing. The fix was to 'modprobe ip_conntrack_ftp' and add ip_conntrack_ftp into /etc/sysconfig/iptables-config so upon bootup the module will load again.
I ran the modprobe ip_conntrack_ftp and it is working :)
However, where do I add it to the iptables-config so it will work on boot?
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
I would imagine that ip_conntrack_ftp is one of the modules, so probably this would be the line where you would add the module:

Code:
IPTABLES_MODULES="ip_conntrack_netbios_ns"
You would want to have spaces separating it, so it would probably look like the following:

Code:
IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp"
Or, whatever else is already in your modules list for it at /etc/sysconfig/iptables-config and I would highly suggest doing this only after you have physical access to the machine in case anything occurs where it won't boot up after making the change.