服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 无法检索连接到vsftpd的Filezilla中的目录列表
Intereting Posts
Ubuntu运行PostgreSQL MySQL占用了我的服务器资源 Windows从Active Directory Linuxlogin共享身份validation networking现在比磁盘更快吗? SMART长时间自测。 发现坏块后,testing是否继续? SMC Tigerswitch和HP Procurve不能连接光纤 新贵:定义服务依赖性/优先级 我怎样才能让Postfixredirect邮件在一个子域的相同的地址? FreeSWITCH和OpenSIPS – 我如何避免在多个FreeSWITCH服务器中重复扩展? XenServer 6.2 IPv6路由 从客户端连接到ssh服务器的速度非常慢(但不是其他服务器) 有什么select来存档Postfix电子邮件,并保留标题中的任何BCC信息 戴尔H700 Nagios警告问题 使用postfix主机通配符子域名 使用公网IP和无权子网的Strongswan IPSec VPN隧道

无法检索连接到vsftpd的Filezilla中的目录列表

新手在这里。

起初我无法连接到vsftpd,但我在iptables中添加了端口21(我在Centos 6上运行),并设法使其工作。 但现在,我无法通过Filezilla中的Command: LIST

这里是日志: 

 Status: Connecting to 162.xxx.xx.xxx:21... Status: Connection established, waiting for welcome message... Response: 220 (vsFTPd 2.2.2) Command: USER cjflores Response: 331 Please specify the password. Command: PASS ****************** Response: 230 Login successful. Command: OPTS UTF8 ON Response: 200 Always in UTF8 mode. Status: Connected Status: Retrieving directory listing... Command: PWD Response: 257 "/" Command: TYPE I Response: 200 Switching to Binary mode. Command: PASV Response: 227 Entering Passive Mode (162,243,89,203,209,5) Command: LIST Error: Connection timed out Error: Failed to retrieve directory listing

这里是我的防火墙设置netstat -nL

 Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4785 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination

这里是我的vsftpd.conf: 

 # Example config file /etc/vsftpd/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=NO # # Uncomment this to allow local users to log in. local_enable=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # The target log file can be vsftpd_log_file or xferlog_file. # This depends on setting xferlog_std_format parameter xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # The name of log file when xferlog_enable=YES and xferlog_std_format=YES # WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log #xferlog_file=/var/log/xferlog # # Switches between logging into vsftpd_log_file and xferlog_file files. # NO writes to vsftpd_log_file, YES to xferlog_file xferlog_std_format=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service. # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd/banned_emails # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). chroot_local_user=YES #chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd/chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. listen=YES # # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6 # sockets, you must run two copies of vsftpd with two configuration files. # Make sure, that one of the listen options is commented !! #listen_ipv6=YES pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES

提前致谢!

FTP协议是一个奇怪的鸭子。 它使用两个TCP连接,而不仅仅是大多数协议使用的一个。 您有端口21,命令和login连接,以及第二个连接,即数据连接。

对于被动FTP,第二个连接是在1024以上的随机分配的可用TCP端口。

你的问题似乎表明你的防火墙没有第二个端口。

有多种方法可以解决这个问题:

修复PASV端口(-range)一种解决scheme是将VSFTPDconfiguration为使用一个小范围的端口,或者只是一个端口,并创build一个防火墙规则来打开这些端口: 

 # /etc/vsftpd/vsftpd.conf # reserve TCP ports 2121-2142 for passive FTP pasv_min_port=2121 pasv_max_port=2142

然后在防火墙中打开端口范围。 (多端口模块允许一个端口范围,而不是每个20端口打开一个端口): 

 iptables -I INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 2121:2142 -j ACCEPT

这种方法的优点是它也可以用于更复杂的多重防火墙设置,端口转发,NAT等。

使用智能防火墙

有了智能防火墙,你不必打开额外的端口。 由于FTP是明文协议,因此防火墙可以扫描端口21上的命令连接上的stream量。它将识别将要分配的PASV端口并dynamic打开防火墙。

对于Linux的netfilter(iptables)防火墙,有一个内核模块可以为你做: nf_conntrack_ftp也被称为ip_conntrack_ftp 。 加载该模块,你的问题应该消失: 

 modprobe -i ip_conntrack_ftp

如果解决了您的FTP连接问题,请在启动时将模块configuration为加载。 在这种情况下,RHEL6和CentOS 6的方法是: 

 # /etc/sysconfig/iptables-config # Space separated list of nat helpers (eg 'ip_nat_ftp ip_nat_irc'), which # are loaded after the firewall rules are applied. Options for the helpers are # stored in /etc/modprobe.conf. IPTABLES_MODULES="nf_conntrack_ftp"