Hello, just started up a new server, a KVM machine with it’s own IP (no router anywhere just a bridge on the host), everything worked. Problem is I started restoring domains, but the proftpd 1.3.3 server is not working well and was notified by one of the users, it authenticates the user but fails listing. This I think is not a routing problem, because I disabled iptables and still no luck!

I droped my configuration and thought to start from scratch, took it from the proftpd website and just commented the anonymus section, restarted proftpd about 100 times, and the network, and iptables, and even the VM:

But FIlezilla keeps on telling me (doesn’t work with dolphin or any of the browsers, no problems to other servers), with any user tried:

With active mode I get the same problem with listing:

Status: Disconnected from server
Status: Resolving address of ftp.mumu.ro
Status: Connecting to 80.97.65.222:21…
Status: Connection established, waiting for welcome message…
Response: 220 ProFTPD 1.3.3e Server (ProFTPD Default Installation) [::ffff:80.97.65.222]
Command: USER fakemoth
Response: 331 Password required for fakemoth
Command: PASS **********
Response: 230 User fakemoth logged in
Command: SYST
Response: 215 UNIX Type: L8
Command: FEAT
Response: 211-Features:
Response: MDTM
Response: MFMT
Response: LANG zh-TW;ru-RU;bg-BG;zh-CN;ja-JP;ko-KR;en-US;fr-FR;it-IT
Response: TVFS
Response: UTF8
Response: MFF modify;UNIX.group;UNIX.mode;
Response: MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
Response: REST STREAM
Response: SIZE
Response: 211 End
Command: OPTS UTF8 ON
Response: 200 UTF8 set to on
Status: Connected
Status: Retrieving directory listing…
Command: PWD
Response: 257 “/” is the current directory
Command: TYPE I
Response: 200 Type set to I
Command: PORT 79,117,71,38,155,198
Response: 200 PORT command successful
Command: MLSD
Response: 425 Unable to build data connection: No route to host
Error: Failed to retrieve directory listing


Nothing of interest in the logs:

Mar 6 07:56:18 ns1 proftpd[10134]: ns1.mumu.ro (::ffff:79.117.71.38[::ffff:79.117.71.38]) - FTP session opened.
Mar 6 07:56:18 ns1 proftpd[10134]: ns1.mumu.ro (::ffff:79.117.71.38[::ffff:79.117.71.38]) - Preparing to chroot to directory ‘/home/fakemoth’
Mar 6 07:59:01 ns1 proftpd[9302]: ns1.mumu.ro (::ffff:79.117.71.38[::ffff:79.117.71.38]) - Client session idle timeout, disconnected
Mar 6 07:59:01 ns1 proftpd[9302]: ns1.mumu.ro (::ffff:79.117.71.38[::ffff:79.117.71.38]) - FTP session closed.


Just in case:

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all – anywhere anywhere


By the way there are no need of other opened ports as I have the modules (first thing that came in mind when I saw “Response: 425 Unable to build data connection: No route to host” but for some weird reason in CentOS 6.3 x64 they ar called nf_… and not ip_… also checked if they are loaded - they are):

service iptables restart
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter mangle nat [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
iptables: Loading additional modules: nf_conntrack nf_conntrack_netbios_ns nf_conntrack_ftp nf_conntrack_tftp [ OK ]


What could be wrong here, any other info that you would need?

Howdy,

It sounds like you’re seeing the issue described here in the section “FTP Server Isn’t Working”:

http://www.virtualmin.com/documentation/web/faq

If you try that, does that resolve your issue?

-Eric

Thanks for your interest in this! As I said, tried with iptables stoped - it should work even without the modules. But I have them - wrote at the end. They are called nf_conntrack… in fact in CentOS 6, don’t know why. Tried with ip_conntrack… but they do not exist. Searched the web and found out they are the same.

I know about that article because I had previous problems with my 5.x CentOS. So this is not it. Does the host influence in any way the KVM VM ? From my part, I guess not, a bridge is just a bridge, right?

Howdy,

That module isn’t just about iptables – that module can work around a whole host of issues that come up, as there’s a variety of things that cause the problem you’re seeing.

Certain routers and network configurations can cause that, for example, even with iptables disabled.

However, the solution to all of those problems is, in general, loading that particular module

In your case, since it sounds the like module name may be slightly different, you could try this:

modprobe nf_conntrack_ftp

Or did I misunderstand, and you are in fact already using the nf_conntrack_ftp module?

I’m not sure if the host can cause that though… I honestly hadn’t heard of a case of the error you’re seeing where loading that module didn’t fix it. But you could perhaps try loading that on the host as well, that may be worth a shot if loading it on the guest isn’t working.

-Eric

The module is loaded, checked that:

The problem was somewhere else, on the host as I guessed! As soon as I added those in /etc/sysconfig on the host everything started to work miracously and now I can take a break for like another 3 years on the FTP side

This is a bug recently introduced somehow, during an update or something, as a month ago it was working fine… nothing else happened, didn’t mess the config, just updates.

Thanks for your help, you should get this in the documentation too

Hello - so, problem solved BUT I would like to use TLS for secure connections. As I understand it when using TLS the conntrack modules can’t take a peek into the ftp data because it’s… well… encrypted. One way is to use ccc command into the client, but read on the filezilla forums that this is bullshit.

So I have to use passive ports; problem is opened a range in firewall, put the directive in proftpd.conf, but I get the same Error: GnuTLS error -53: Error in the push function.

Can someone enlight me on this?

TY!

Howdy,

I hadn’t run into that before, but poking around a bit on Google, I see a few folks who got that where the issue was an issue in the client.

Is there any chance you could try a different FTP client, and see if it works at that point?

-Eric

Will do and report back, I’m busy with some fried sausages, tzuica and wine kind of a romanian equinox tradition

That sounds delicious, I wish I was there to share that with you guys! I never had tzuica. I’ll keep my eyes open to see if anyone has that here in the US

-Eric

I’m sorry but I’m trying to follow what you did to solve this problem. I have the exact same issue and I looked through everything you looked through. You said “As soon as I added those in /etc/sysconfig on the host”. As soon as you added what on the host?

Any help would be super appreciated

You have to load some modules for iptables on the host. Add in /etc/sysconfig/iptables-config file the following (or replace what you have on the first line, was refering to loading the modules, forgot to add the file to the path; it’s best not to load them by hand):

IPTABLES_MODULES=“nf_conntrack nf_conntrack_netbios_ns nf_conntrack_ftp nf_conntrack_tftp”

… and you are good to go!

Late reply: correctly “Țuică” (Romanian pronunciation: [ˈt͡sujkə]; sometimes spelled tuica, tzuika, tsuika, tsuica, or tzuica) is a traditional Romanian spirit that contains 28%-60% alcohol by volume (usually 40-45%), prepared only from plums. Other spirits that are produced from some other fruit or from a cereal grain are called “rachiu” or “rachie.”

In fact it was “Pălincă” wich means it’s distilled twice, and considered to be good in my area (Transylvania, no vampires here btw) only above 50% Tastes vary regarding the combination of fruits if it’s not made only from plums. If we will ever meet I swear you will… hmmm at least taste it if not getting a little dizzy