Passive FTP not working properly

Question

I've been having a problem with configuring vsftpd. I have managed to get active FTPS working fine, but passive is being stubborn. I think the problem is with how iptables is managing ports. When I try to use passive ftps on filezilla, everything connects, but the directory listing fails with EHOSTUNREACH. Here is the exchange between the client and the server setting up passive mode

Command:    PASV
Response:   227 Entering Passive Mode (192,168,0,10,169,39).
Command:    LIST
Error:      The data connection could not be established: EHOSTUNREACH - No route to host

Here is the relevant section of my vsftpd.conf:

pasv_enable=YES
pasv_min_port=40000
pasv_max_port=50000

Here is the output of iptables -L:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp ctstate NEW,ESTABLISHED /* Allow ftp connections on port 21 */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp-data ctstate RELATED,ESTABLISHED /* Allow ftp connections on port 20 */
ACCEPT     tcp  --  anywhere             anywhere             tcp spts:safetynetp:50000 dpts:safetynetp:50000 ctstate ESTABLISHED /* Allow passive ftp inbound connections */

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp ctstate NEW,ESTABLISHED /* Allow ftp connections on port 21 */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp-data ctstate ESTABLISHED /* Allow ftp connections on port 20 */
ACCEPT     tcp  --  anywhere             anywhere             tcp spts:safetynetp:50000 dpts:safetynetp:50000 ctstate RELATED,ESTABLISHED /* Allow passive ftp inbound connections */

Here is the command I used to set the output rule. The input one is very similar, but I can provide it if it is needed.

iptables -A OUTPUT -p tcp -m tcp --sport 40000:50000 --dport 40000:50000 -m conntrack -- ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow passive ftp inbound connections"

I can't find any info on the safetynetp part of the passive iptables rules online, and I think the problem is that this is conflicting with the range of ports (40,000-50,000) that I have set, as it looks like it is just accepting port 50,000.

The iptables may not be the problem at all, I don't know. If more info is needed I can certainly give it out.

EDIT:

Here is the client's iptables rules:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Why not just use scp/sftp and completely avoid all of the active/passive nonsense? — EEAA, Jun 08 '17 at 01:00

score 1 · Answer 1 · answered Jun 08 '17 at 09:02

Is the FTP server you are connecting to on the other side of a NAT router? I see 192.168. in your IP there so there is a private network involved. You've got a pretty open iptables setup, so I don't think that's the issue (though you could try flushing the tables and seeing if that makes any difference).

Passive FTP requires the FTP server to make a new connection back to your FTP client (see here for a more detailed description of passive FTP), so this new return connection will more than likely fail to get back through a NAT router. There is an FTP module for IPTables which I think deals with this, but if NAT is involved, I'd just use active FTP (or as other comment says - use something else altogether if possible).

The IPTables you've shown is your for FTP client, not a router of some sort, correct?

the iptables is for the ftps server. I think I know what the problem is, from your answer. My client's firewall isn't allowing the new connection. Right? I have edited to include my client's iptables. — Mitchell, Jun 09 '17 at 20:02

score 1 · Answer 2 · answered Jun 08 '17 at 13:30

I have seen issues that the ftp server is giving out a NAT address, when the public address of the FTP server is the one that should be configured. This causes issues with the passive connection as the client is expecting a different address. The initial connection normally works in that scenario, but passive mode doesn't work.

Take a look at your vsftpd configuration, or feel free to share it.

Passive FTP not working properly

2 Answers2