I recently installed the vsftpd FTP Server onto a CentOS box and have a fairly tight firewall setup script using iptables. When I logged in to test it and issued an “ls -l” command it took a really long time for the driectory listing to come back. At first I thought it wasn’t going to show the directory listing at all but it finally did. This post looks at the solution to the problem. The notes in this post will also apply to vsftpd on Red Hat Enterprise Linux which CentOS is based on.
Installing VSFtpd
First, we’ll look at the basics of setting up vsftpd, the firewall rule I added, and then the solution to the problem.
Installing VSFtpd from the command line is as simple as this:
yum install vsftpd
To start it now:
/etc/init.d/vsftpd start
and to have vsftpd run automatically when the system starts:
chkconfig vsftpd on
Firewall rule
I added the following rule to my custom firewall script. We only allow FTP access to this particular server from a very few static IP addresses so there’s a line for each IP address as in the following example:
iptables -A INPUT -p tcp --dport 21 -s 192.168.1.10 -j ACCEPT
I then restarted the firewall and attempted to connect to the server using a command line FTP program. I was able to connect, but it was when trying to get a directory listing using “ls -l” that nothing appeared to be happening.
The solution
The solution turns out to be very simple. Simply add the following line to the /etc/sysconfig/iptables-config firewall configuration file:
IPTABLES_MODULES="ip_conntrack_ftp"
and then restart iptables like so:
/etc/init.d/iptables restart
When iptables restarts you’ll see output similar to the following:
Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ] Applying iptables firewall rules: [ OK ] Loading additional iptables modules: ip_conntrack_ftp [ OK ]
That last line shows that the ftp module has been loaded into iptables. I then re-ran my custom iptables script and could now log in successfully and get a directory listing etc.
Additional firewall rules
One post I read looking at this issue suggested a whole bunch of extra firewall rules, but I didn’t seem to need them. Simply adding the above line and restarting iptables seemed to do the trick.
Update October 10th 2009
Jon Dean emailed me yesterday to let me know the following:
“I thought I’d let you know that I created a post on my website linking to this article with some additional information. My problem was that my iptables config wasn’t complete enough for all of the rules that were active on my system. (My guess is that Plesk or some other application set up those rules for me.) So I just added two steps for backing up and then restoring your current iptables rules.”
You can read Jon’s post titled Fixing slow FTP listing on CentOS 5.3 and safely reloading iptables config for more details.
