Discussion of ProFTPD configuration/problems

Josephi Sangria | 29 May 2012 03:49

[Proftpd-user] FTP LIST - Client Failed to retrieve directory listing

Hi proftpd-users,

I'm having a bit of an error in FileZilla FTP client, when trying to connect to proftpd server.
Connection is successful but, last 3 lines of FTP client error is:
Command:    LIST
Error:    Connection timed out
Error:    Failed to retrieve directory listing

=============================

Looks like a problem retrieving a directory, but permissions look ok:

The permissions on /var = drwxr-xr-x 14 root root 4.0K May 28 13:34 var
The permissions on /var/ftp = drwxrwxrwx 4 ftpuser1 ftpusers 4.0K May 27 18:43 ftp
The permissions on /var/ftp/csager1 = drwxrwxrwx 2 ftpuser1 ftpusers 4.0K May 12 16:43 csager1

I'm running Ubuntu 12.04, behind a router, so I've tried to set up NAT and port forwarding.
Let's say my IP address is 67.189.11.222
This is what I use for testing to flush iptables and set up ports 21 & 22, and passive port range 60000-65000:
(tried with & without last 2 lines)
=======================
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -I PREROUTING -d 67.189.11.222 -p tcp -m tcp --dport 21:22 -j DNAT --to-destination 192.168.0.101
iptables -t nat -I PREROUTING -d 67.189.11.222 -p tcp -m tcp --dport 60000:65000 -j DNAT --to-destination 192.168.0.101
iptables -A FORWARD -p tcp -d 192.168.1.101 --dport 21:22 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.1.101 --dport 60000:65000 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 60000:65000 -d 67.189.11.222 --dport 21:22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 67.189.11.222 --sport 21:22 -d 0/0 --dport 60000:65000 -m state --state ESTABLISHED -j ACCEPT
=======================

Attached is a file with:
proftpd.conf
output from command ifconfig
output from FTP Client
output from proftpd -V
output from proftpd -vv
output from proftpd -l
using http://ftptest.net to test proftpd
output from proftpd -nd10

=======================

I've tried passive vs. active, I've tried ftptest.net.
Before the error from FTP client after "LIST", I was getting an error on
"MLSD", that's why I inserted the following in the proftpd.conf:
<IfModule mod_facts.c>
FactsAdvertise off
</IfModule>

Any ideas would be greatly appreciated.
Thanks

Attachment (proftpd-debug.tar.gz): application/x-gzip, 7153 bytes

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html

headers

Mikael Fridh | 30 May 2012 08:34

Re: [Proftpd-user] FTP LIST - Client Failed to retrieve directory listing

On Tue, May 29, 2012 at 3:49 AM, Josephi Sangria
<josephisangria <at> yahoo.com> wrote:
> Hi proftpd-users,
>
> I'm having a bit of an error in FileZilla FTP client, when trying to connect
> to proftpd server.

> Error:    Connection timed out

It's not a permissions problem...

> I'm running Ubuntu 12.04, behind a router, so I've tried to set up NAT and
> port forwarding.

"a router" ?

> Let's say my IP address is 67.189.11.222
> This is what I use for testing to flush iptables and set up ports 21 & 22,
> and passive port range 60000-65000:
> (tried with & without last 2 lines)
> =======================
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT

If policy is ACCEPT, no need for any ACCEPT rules below at all.

> iptables -t nat -I PREROUTING -d 67.189.11.222 -p tcp -m tcp --dport 21:22
> -j DNAT --to-destination 192.168.0.101
> iptables -t nat -I PREROUTING -d 67.189.11.222 -p tcp -m tcp --dport
> 60000:65000 -j DNAT --to-destination 192.168.0.101

Where are you doing these rules??? On your ftp server that's behind
your router? Or on the actual router? This seems unclear to me.
Usually when people say "a router", it means a domestic device such as
a dlink, netgear etc. This would have me believe you're using a Linux
box as a router, maybe you are, but please say.

Either way... you do not need rules on your ftp server. It's your
router that's supposed to do the port forwarding (sometimes called
static redirects)

> iptables -A FORWARD -p tcp -d 192.168.1.101 --dport 21:22 -j ACCEPT
> iptables -A FORWARD -p tcp -d 192.168.1.101 --dport 60000:65000 -j ACCEPT

You've got 192.168.1 here and 192.168.0 in the nat rules above.

> iptables -A INPUT -p tcp -s 0/0 --sport 60000:65000 -d 67.189.11.222 --dport
> 21:22 -m state --state NEW,ESTABLISHED -j ACCEPT

You know port 22 is SSH, not FTP, right?

> iptables -A OUTPUT -p tcp -s 67.189.11.222 --sport 21:22 -d 0/0 --dport
> 60000:65000 -m state --state ESTABLISHED -j ACCEPT

If you wanted to allow outgoing active mode ftp (doesn't matter
because you've got policy ACCEPT already) you should allow port 20
outgoing.

Clarify what you've done to configure your router or make it more
clear where exactly you're doing these firewall rules and whether or
not your router is a Linux server.

Mikael.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
ProFTPD Users List   <proftpd-users <at> proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html