Pure-Ftpd-Mysql : Unable to connect with passive FTP

Question

It seems that I have a configuration problem and I need help.

I've a webserver, under Debian Jessie with pure-ftpd-mysql installed (and updated).

I can connect to the server via FTP when it's in active mode, but when I ask to pass on passive mode, I've got an operation timeout :

ftp ftp.***.com
Connected to ftp.***.com.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 12:31. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (ftp.***.com:tilotiti): 
331 User tilotiti OK. Password required
Password: 
230 OK. Current restricted directory is /
ftp> ls
200 PORT command successful
150 Connecting to port 50405
drwxr-xr-x    2 2001       ftp              4096 Dec 21 11:12 test1
drwxrwxrwx    2 2001       ftp              4096 Apr 28  2017 test2
226-Options: -l 
226 2 matches total
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (10,3,98,75,127,233)
ftp: connect: Operation timed out
ftp> 

I'm hosted on scaleway, and I checked that there where no rule configured as network firewall.

I tried to configure some passive range ports, by creating the file /etc/pure-ftpd/conf/PassivePortRange :

30000 50000

I've checked that my server firewall was not blocking the connection :

$ iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

And I rebooted the server to be sure that the new configuration has been taken.

But it doesn't work, i'm totally lost now. I need this passive connexion.

Anyone can help me please ?

Thank you very much.

Answer 1

227 Entering Passive Mode (10,3,98,75,127,233)

Means the server is waiting for an incoming connection to 10.3.98.75 port 32745. Of course that's because the server is NATed and (the ftp server) doesn't known about it.

You still have need to do two (of 3) things:

• set the FTP server so it "publishes" the known public IP instead of its private IP. This is how it's done from the pure-ftpd documentation:

  - '-P <ip address or host name>': Force the specified IP address in reply to a PASV/EPSV/SPSV command. If the server is behind a masquerading (NAT) box that doesn't properly handle stateful FTP masquerading, put the ip address of that box here. If you have a dynamic IP addBindress, you can put the public host name of your gateway, that will be resolved every time a new client will connect.

The Debian(?) wrapper configuration for it appears to be ForcePassiveIP <ip address or host name>

• set it to use a specific range of ports only (already done, you chose 30000:50000). A range that doesn't overlap the dynamic ports range as seen in /proc/sys/net/ipv4/ip_local_port_range should be chosen for improved security.
• Change Scaleway's firewall/nat settings to allow port forwarding for the range of TCP ports in the previous step (that's where security I mentioned above could matter). Sorry I don't know where to find the specific documentation about this. I didn't even understand what kind of network configurations are available at Scaleway. If the host has actually two IPs, one of them 10.3.98.75, the other public, then instead of using ForcePassiveIP, the Bind option ( => -S ) would be enough.