The error occurs after successful authentication when attempting to list directory contents via FileZilla. The key indicators in the log show:
Command: PASV
Response: 227 Entering Passive Mode (162,243,89,203,209,5)
Command: LIST
Error: Connection timed outFTP uses two connections:
- Control connection (port 21)
- Data connection (random high port in PASV mode)
The error suggests the data connection is being blocked. Let's decode the PASV response:
227 Entering Passive Mode (162,243,89,203,209,5)This translates to IP 162.243.89.203 with port number (209 * 256) + 5 = 53509
Your current iptables rules allow:
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20But missing rules for passive mode ports. Add these to your /etc/sysconfig/iptables:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 50000:51000 -j ACCEPT
-A OUTPUT -m state --state NEW -m tcp -p tcp --sport 50000:51000 -j ACCEPTAdd these directives to /etc/vsftpd/vsftpd.conf:
# Passive mode configuration
pasv_enable=YES
pasv_min_port=50000
pasv_max_port=51000
pasv_address=162.243.89.203 # Your server's public IP
pasv_promiscuous=NOAfter making changes:
service iptables restart
service vsftpd restartTest connectivity with:
telnet your.server.ip 53509If you prefer active mode:
1. In FileZilla: Edit > Settings > Connection > FTP > Active mode
2. Configure iptables for active mode:
-A INPUT -p tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPTEnable verbose logging in vsftpd.conf:
debug_ssl=YES
log_ftp_protocol=YES
syslog_enable=YESCheck logs in real-time:
tail -f /var/log/vsftpd.logWhen working with FileZilla and vsftpd on CentOS 6, you might encounter a situation where authentication succeeds but directory listing fails with a timeout error. The key symptom appears in the log:
Command: PASV
Response: 227 Entering Passive Mode (162,243,89,203,209,5)
Command: LIST
Error: Connection timed out
The root cause typically lies in passive mode FTP configuration. Unlike active mode where the server initiates data connections, passive mode requires the client to connect to a server-specified port. The server responds with an IP and port combination (like 162,243,89,203,209,5 which translates to 162.243.89.203:209*256+5 = port 53509).
Your current iptables rules only allow ports 20 and 21:
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
This is insufficient for passive mode which uses random high-numbered ports. We need to either:
- Open a range of passive ports in firewall
- Configure vsftpd to use specific passive ports
First, edit your vsftpd configuration:
# Add these lines to /etc/vsftpd/vsftpd.conf
pasv_enable=YES
pasv_min_port=60000
pasv_max_port=60100
pasv_address=your.server.ip.address
Then update iptables to allow this range:
iptables -A INPUT -p tcp --dport 60000:60100 -j ACCEPT
service iptables save
service iptables restart
On CentOS 6, SELinux might block FTP access. Check status:
sestatus
If enabled, you may need to adjust policies:
setsebool -P ftp_home_dir on
setsebool -P allow_ftpd_full_access on
After making changes, restart vsftpd and test:
service vsftpd restart
In FileZilla, check the transfer settings:
- Go to Edit > Settings
- Select "Transfer" > "Active mode"
- Try both active and passive modes to identify which works
If passive mode proves problematic, you can force active mode in FileZilla:
Edit > Settings > Connection > FTP > Transfer Mode > Active
But this requires client-side firewall adjustments and isn't recommended for most scenarios.
Verify your complete vsftpd configuration includes these critical settings:
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
pasv_enable=YES
pasv_min_port=60000
pasv_max_port=60100
Remember to restart services after configuration changes:
service iptables restart
service vsftpd restart