Directory listings slow with ftp server and CentOS
Posted April 23rd, 2008 in Linux/Unix/BSD (Updated October 10th, 2009)
I recently installed the vsftpd FTP Server onto a CentOS box and have a fairly tight firewall setup script using iptables. When I logged in to test it and issued an "ls -l" command it took a really long time for the driectory listing to come back. At first I thought it wasn't going to show the directory listing at all but it finally did. This post looks at the solution to the problem. The notes in this post will also apply to vsftpd on Red Hat Enterprise Linux which CentOS is based on.
Installing VSFtpd
First, we'll look at the basics of setting up vsftpd, the firewall rule I added, and then the solution to the problem.
Installing VSFtpd from the command line is as simple as this:
yum install vsftpd
To start it now:
/etc/init.d/vsftpd start
and to have vsftpd run automatically when the system starts:
chkconfig vsftpd on
Firewall rule
I added the following rule to my custom firewall script. We only allow FTP access to this particular server from a very few static IP addresses so there's a line for each IP address as in the following example:
iptables -A INPUT -p tcp --dport 21 -s 192.168.1.10 -j ACCEPT
I then restarted the firewall and attempted to connect to the server using a command line FTP program. I was able to connect, but it was when trying to get a directory listing using "ls -l" that nothing appeared to be happening.
The solution
The solution turns out to be very simple. Simply add the following line to the /etc/sysconfig/iptables-config firewall configuration file:
IPTABLES_MODULES="ip_conntrack_ftp"
and then restart iptables like so:
/etc/init.d/iptables restart
When iptables restarts you'll see output similar to the following:
Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ] Applying iptables firewall rules: [ OK ] Loading additional iptables modules: ip_conntrack_ftp [ OK ]
That last line shows that the ftp module has been loaded into iptables. I then re-ran my custom iptables script and could now log in successfully and get a directory listing etc.
Additional firewall rules
One post I read looking at this issue suggested a whole bunch of extra firewall rules, but I didn't seem to need them. Simply adding the above line and restarting iptables seemed to do the trick.
Update October 10th 2009
Jon Dean emailed me yesterday to let me know the following:
"I thought I'd let you know that I created a post on my website linking to this article with some additional information. My problem was that my iptables config wasn't complete enough for all of the rules that were active on my system. (My guess is that Plesk or some other application set up those rules for me.) So I just added two steps for backing up and then restoring your current iptables rules."
You can read Jon's post titled Fixing slow FTP listing on CentOS 5.3 and safely reloading iptables config for more details.
Related posts:
- Debian FTP server hangs on list (Monday, March 30th 2009)
Share or Bookmark
Share or Bookmark this page using the following services. You will need to have an account with the selected service in order to post links or bookmark this page.
Subscribe or Follow
Subscribe via RSS or email, or follow me on Facebook or Twitter below. The RSS icon takes you through to Feedburner where you can select the service or application to use.
RSS Feed
Facebook
Twitter
By Email