Travel Solo But Never Alone
Find the right memory at MemorySuppliers.com!

Directory listings slow with ftp server and CentOSDirectory listings slow with ftp server and CentOS

Posted April 23rd, 2008 in Linux/Unix/BSD

I recently installed the vsftpd FTP Server onto a CentOS box and have a fairly tight firewall setup script using iptables. When I logged in to test it and issued an "ls -l" command it took a really long time for the driectory listing to come back. At first I thought it wasn't going to show the directory listing at all but it finally did. This post looks at the solution to the problem. The notes in this post will also apply to vsftpd on Red Hat Enterprise Linux which CentOS is based on.

First, we'll look at the basics of setting up vsftpd, the firewall rule I added, and then the solution to the problem.

Installing VSFtpd

Installing VSFtpd from the command line is as simple as this:

yum install vsftpd

To start it now:

/etc/init.d/vsftpd start

and to have vsftpd run automatically when the system starts:

chkconfig vsftpd on

Firewall rule

I added the following rule to my custom firewall script. We only allow FTP access to this particular server from a very few static IP addresses so there's a line for each IP address as in the following example:

iptables -A INPUT -p tcp --dport 21 -s 192.168.1.10 -j ACCEPT

I then restarted the firewall and attempted to connect to the server using a command line FTP program. I was able to connect, but it was when trying to get a directory listing using "ls -l" that nothing appeared to be happening.

The solution

The solution turns out to be very simple. Simply add the following line to the /etc/sysconfig/iptables-config firewall configuration file:

IPTABLES_MODULES="ip_conntrack_ftp"

and then restart iptables like so:

/etc/init.d/iptables restart

When iptables restarts you'll see output similar to the following:

Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_ftp      [  OK  ]

That last line shows that the ftp module has been loaded into iptables. I then re-ran my custom iptables script and could now log in successfully and get a directory listing etc.

Additional firewall rules

One post I read looking at this issue suggested a whole bunch of extra firewall rules, but I didn't seem to need them. Simply adding the above line and restarting iptables seemed to do the trick.