Connect & Share

Resolve Passive FTP Data Port connection error

How to Resolve Passive FTP Data Port connection error:

If you are not able to connect to FTP data port using passive-mode and getting the connection error as: “FTP Connection Error: Error loading directory” -------------------------------------------------------------- “Server failed to connect data port Error loading directory...” ------------------------------------------------------------- Then there is possibility that a port range is not open in the firewall to match the port range used by the FTP service. There are two options to fix this: 1) Use active-mode FTP instead of passive. This is normally selectable in the FTP client. In the command-line FTP client, you can simply type "passive" to toggle passive/active mode. 2) Configure a port range for passive-mode FTP in the FTP service configuration, and configure the server's firewall to allow the connection on them. If you are using Pure-FTPd, which is the default, you can define the passive-mode port range by editing /etc/pure-ftpd.conf and uncommenting the following directive: Code:
# Port range for passive connections replies.

# PassivePortRange          30000 50000
Once you have removed the hash mark (#) from the line starting with "PassivePortRange", restart Pure-FTPd and edit your firewall configuration to allow traffic on the same port range as mentioned below : Assuming that your eth0 network interface has public ip (119.54.1.20). FTP uses both port 21 and 20 (port 21 for the command port and port 20 for the data). So following iptables rules take care of both ports (add rules to your iptables based shell script): 1)  Add support for FTP connection tracking via enabling the two iptable modules  as given below: First login as the root user. Next type the following command to load two iptables modules:
# modprobe ip_conntrack

# modprobe ip_conntrack_ftp
2)  Now add following iptable rules for incoming request on port 21 (open port 21) to your script:
# iptables -A INPUT -p tcp -s 0/0 --sport 30000:50000 -d 119.54.1.20 --dport 21 –m state --state NEW,ESTABLISHED -j ACCEPT

# iptables -A OUTPUT -p tcp -s 119.54.1.20 --sport 21 -d 0/0 --dport 30000:50000 –m state --state ESTABLISHED -j ACCEPT
3)  Now add following iptable rules for allowing the passive post range to your script:
# iptables -A INPUT -p tcp -s 0/0 --sport 30000:50000 -d 119.54.1.20 --dport 30000:50000 -m state --state ESTABLISHED,RELATED -j ACCEPT

# iptables -A OUTPUT -p tcp -s 119.54.1.20 --sport 30000:50000 -d 0/0 --dport 30000:50000 -m state --state ESTABLISHED -j ACCEPT
4)  Now add following iptable rules for allowing the FTP data Port(20) and passive post range to your script:
# iptables -A OUTPUT -p tcp -s 119.54.1.20 --sport 20 -d 0/0 --dport 30000:50000 –m state --state ESTABLISHED,RELATED -j ACCEPT

# iptables -A INPUT -p tcp -s 0/0 --sport 30000:50000 119.54.1.20 --dport 20 -m state --state ESTABLISHED -j ACCEPT
Now save the iptables rules as below:
# service iptables save
Now try accessing the FTP. It should be working for you.

Leave a Reply