Resolved FTP NAT Firewall

[weelow]

Hello,
I tried searching for weeks on this problem without finding a solution
I am unable to get directory listing using the local IP example 192.168.1.10 or the external server ip
to narrow the problem down i connected locally and i ensured plesk firewall rule for ports
20-21 and 60000-65534
i even disabled the firewall completely using
sudo systemctl stop firewalld

I also made sure to add a pasv.conf file with
<Global>
.... added the passive ports here
</Global>

I checkted the ftp tls log file on the server and there was no issues
Filezila could connect to the server but could never get the directory listing using either the active or passive connection methods from a local ip address.

I managed to get SFTP working from a system user account charooted but that is not what i want.
I want to disable SFTP to make the server more secure and only make SSH port avaialbe through a VPN connection for the server admins. As for FTP its driving me nuts to set it up on linux. I got it working on a windows machine on the same network.

I appreciate all the help i can get. Thank you.

Here is a log from FileZilla

15:35:40 Status: Resolving address of xXX.XXxx.com
15:35:40 Status: Connecting to XX.XX.XX.XX:21...
15:35:40 Status: Connection established, waiting for welcome message...
15:35:40 Trace: CFtpControlSocket::OnReceive()
15:35:40 Response: 220 ProFTPD 1.3.5b Server (ProFTPD) [XX.XX.XX.XX]
15:35:40 Trace: CFtpControlSocket::SendNextCommand()
15:35:40 Command: AUTH TLS
15:35:40 Trace: CFtpControlSocket::OnReceive()
15:35:40 Response: 234 AUTH TLS successful
15:35:40 Status: Initializing TLS...
15:35:40 Trace: CTlsSocket::Handshake()
15:35:40 Trace: CTlsSocket::ContinueHandshake()
15:35:40 Trace: TLS handshake: About to send CLIENT HELLO
15:35:40 Trace: TLS handshake: Sent CLIENT HELLO
15:35:40 Trace: CTlsSocket::OnSend()
15:35:40 Trace: CTlsSocket::OnRead()
15:35:40 Trace: CTlsSocket::ContinueHandshake()
15:35:40 Trace: CTlsSocket::OnRead()
15:35:40 Trace: CTlsSocket::ContinueHandshake()
15:35:40 Trace: TLS handshake: Received SERVER HELLO
15:35:40 Trace: TLS handshake: Processed SERVER HELLO
15:35:40 Trace: TLS handshake: Received CERTIFICATE
15:35:40 Trace: TLS handshake: Processed CERTIFICATE
15:35:40 Trace: TLS handshake: Received SERVER KEY EXCHANGE
15:35:40 Trace: TLS handshake: Processed SERVER KEY EXCHANGE
15:35:40 Trace: TLS handshake: Received CERTIFICATE REQUEST
15:35:40 Trace: TLS handshake: Processed CERTIFICATE REQUEST
15:35:40 Trace: TLS handshake: Received SERVER HELLO DONE
15:35:40 Trace: TLS handshake: Processed SERVER HELLO DONE
15:35:40 Trace: TLS handshake: About to send CERTIFICATE
15:35:40 Trace: TLS handshake: Sent CERTIFICATE
15:35:40 Trace: TLS handshake: About to send CLIENT KEY EXCHANGE
15:35:40 Trace: TLS handshake: Sent CLIENT KEY EXCHANGE
15:35:40 Trace: TLS handshake: About to send FINISHED
15:35:40 Trace: TLS handshake: Sent FINISHED
15:35:40 Trace: CTlsSocket::OnRead()
15:35:40 Trace: CTlsSocket::ContinueHandshake()
15:35:40 Trace: TLS handshake: Received FINISHED
15:35:40 Trace: TLS handshake: Processed FINISHED
15:35:40 Trace: TLS Handshake successful
15:35:40 Trace: Protocol: TLS1.2, Key exchange: ECDHE-RSA, Cipher: AES-256-GCM, MAC: AEAD
15:35:40 Status: Verifying certificate...
15:35:40 Status: TLS connection established.
15:35:40 Trace: CFtpControlSocket::SendNextCommand()
15:35:40 Command: USER whmcs_support
15:35:41 Trace: CTlsSocket::OnRead()
15:35:41 Trace: CFtpControlSocket::OnReceive()
15:35:41 Response: 331 Password required for whmcs_support
15:35:41 Trace: CFtpControlSocket::SendNextCommand()
15:35:41 Command: PASS ******************
15:35:41 Trace: CTlsSocket::OnRead()
15:35:41 Trace: CFtpControlSocket::OnReceive()
15:35:41 Response: 230 User whmcs_support logged in
15:35:41 Trace: CFtpControlSocket::SendNextCommand()
15:35:41 Command: OPTS UTF8 ON
15:35:41 Trace: CTlsSocket::OnRead()
15:35:41 Trace: CFtpControlSocket::OnReceive()
15:35:41 Response: 200 UTF8 set to on
15:35:41 Trace: CFtpControlSocket::SendNextCommand()
15:35:41 Command: PBSZ 0
15:35:41 Trace: CTlsSocket::OnRead()
15:35:41 Trace: CFtpControlSocket::OnReceive()
15:35:41 Response: 200 PBSZ 0 successful
15:35:41 Trace: CFtpControlSocket::SendNextCommand()
15:35:41 Command: PROT P
15:35:41 Trace: CTlsSocket::OnRead()
15:35:41 Trace: CFtpControlSocket::OnReceive()
15:35:41 Response: 200 Protection set to Private
15:35:41 Status: Logged in
15:35:41 Trace: CFtpControlSocket::ResetOperation(0)
15:35:41 Trace: CControlSocket::ResetOperation(0)
15:35:41 Trace: CFileZillaEnginePrivate::ResetOperation(0)
15:35:41 Trace: Measured latency of 107 ms
15:35:41 Status: Retrieving directory listing...
15:35:41 Trace: CFtpControlSocket::SendNextCommand()
15:35:41 Trace: CFtpControlSocket::ChangeDirSend()
15:35:41 Command: PWD
15:35:41 Trace: CTlsSocket::OnRead()
15:35:41 Trace: CFtpControlSocket::OnReceive()
15:35:41 Response: 257 "/" is the current directory
15:35:41 Trace: CFtpControlSocket::ResetOperation(0)
15:35:41 Trace: CControlSocket::ResetOperation(0)
15:35:41 Trace: CFtpControlSocket:arseSubcommandResult(0)
15:35:41 Trace: CFtpControlSocket::ListSubcommandResult()
15:35:41 Trace: state = 1
15:35:41 Trace: CFtpControlSocket::SendNextCommand()
15:35:41 Trace: CFtpControlSocket::TransferSend()
15:35:41 Trace: state = 1
15:35:41 Command: TYPE I
15:35:41 Trace: CTlsSocket::OnRead()
15:35:41 Trace: CFtpControlSocket::OnReceive()
15:35:41 Response: 200 Type set to I
15:35:41 Trace: CFtpControlSocket::TransferParseResponse()
15:35:41 Trace: code = 2
15:35:41 Trace: state = 1
15:35:41 Trace: CFtpControlSocket::SendNextCommand()
15:35:41 Trace: CFtpControlSocket::TransferSend()
15:35:41 Trace: state = 2
15:35:41 Command: PORT 41,33,6,210,199,10
15:35:41 Trace: CTlsSocket::OnRead()
15:35:41 Trace: CFtpControlSocket::OnReceive()
15:35:41 Response: 200 PORT command successful
15:35:41 Trace: CFtpControlSocket::TransferParseResponse()
15:35:41 Trace: code = 2
15:35:41 Trace: state = 2
15:35:41 Trace: CFtpControlSocket::SendNextCommand()
15:35:41 Trace: CFtpControlSocket::TransferSend()
15:35:41 Trace: state = 4
15:35:41 Command: MLSD
15:36:01 Error: Connection timed out after 20 seconds of inactivity
15:36:01 Trace: CControlSocket:oClose(2050)
15:36:01 Trace: CFtpControlSocket::ResetOperation(2114)
15:36:01 Trace: CControlSocket::ResetOperation(2114)
15:36:01 Trace: CFtpControlSocket::ResetOperation(2114)
15:36:01 Trace: CControlSocket::ResetOperation(2114)
15:36:01 Error: Failed to retrieve directory listing
15:36:01 Trace: CFileZillaEnginePrivate::ResetOperation(2114)

 

[SBDavid]

Hello,

Are you forwarding the passive ports on the router?

 

[weelow]

Hello,

Are you forwarding the passive ports on the router?

I have and i get connected which means port forwarding rules are working fine for the main ports 21-20 so the passive ports should be working properly.

I even tried connecting locally directly to the server without any routers and disabled the Linux firewall and restarted the service and tried connecting and again i get the same error when listing the directories

 

[AYamshanov]

Hi,

Did you see KB https://support.plesk.com/hc/en-us/...ge-for-ProFTPd-on-a-server-behind-a-firewall?

In passive mode, the second channel for data creates a client to a server. A client uses the port from server's answer.

PASSIVE (PASV)

This command requests the server-DTP to "listen" on a data
port (which is not its default data port) and to wait for a
connection rather than initiate one upon receipt of a
transfer command. The response to this command includes the
host and port address this server is listening on.​

15:35:41 Command: PORT a,b,c,d,199,10

Four first digits - IP;
199 and 10 (server's port) = (199)*256 + (10) = 50954

So, in this session client make two connection:
- first (control) to port 21;
- second (data) to port 50954.

Could you check proftpd settings and iptables? Do you wrote "60000-65534" but server answers port 50954 - this is strange.

 

[weelow]

Hi,

Did you see KB https://support.plesk.com/hc/en-us/...ge-for-ProFTPd-on-a-server-behind-a-firewall?

In passive mode, the second channel for data creates a client to a server. A client uses the port from server's answer.

PASSIVE (PASV)

This command requests the server-DTP to "listen" on a data
port (which is not its default data port) and to wait for a
connection rather than initiate one upon receipt of a
transfer command. The response to this command includes the
host and port address this server is listening on.​

Four first digits - IP;
199 and 10 (server's port) = (199)*256 + (10) = 50954

So, in this session client make two connection:
- first (control) to port 21;
- second (data) to port 50954.

Could you check proftpd settings and iptables? Do you wrote "60000-65534" but server answers port 50954 - this is strange.

You are right. I think this is the problem. I have everything set for port range 60000-65534 and i just used netstat on the server and it is using ports below that range for some reason. Although i followed guide lines to configure proftpd.conf files and everything seams to be in the right place unless plesk is reading from a different conf file.

I am going to try to find all file names with .conf and check them out. Maybe there is another file overwriting my settings.

 

[weelow]

Perfect, there was a config file with the wrong port range. I deleted it and made sure the correct conf file was imported and included in the main conf file. and now i got a working ftp server.

Thanks