Systems Integration 
Oracle Learning Management 
Cloud Computing 
Web Development 
Marketing Strategy 
Business Packages 
Kiva Extension 15 January 2011
Set up an FTP Server on Amazon EC2
Setting up an FTP server on Amazon EC2 is pretty easy. In this example, we'll be setting up vsftp on Oracle Enterprise Linux 5.5, but these instructions will apply with minor modification to most any other Linux platform.
SSH into your instance as root, and install the vsftpd package using yum:
yum install vsftpd
Next, we have to edit the configuration file to prohibit anonymous users from logging in, and make sure that local users are allowed to upload and download files to their accounts. There are a couple of changes you'll probably have to make to /etc/vsftpd/vsftpd.conf.
First, disable anonymous access. Change the following line:
anonymous_enable=YES
to read:
anonymous_enable=NO
Second, make sure that local users are allowed to login. (This is usually enabled by default.) Just make sure that the following line is in the file and not commented out:
local_enable=YES
The last mandatory change to vsftpd.conf is to specify which ports to use for passive mode. If we don't specify this, FTP clients that can't use active mode will not be able to initiate data connections to the server. These lines typically don't exist in the configuration file by default. For this example, we're going to open up ports 14000 through 14050 for incoming passive connections.
pasv_enable=YES pasv_min_port=14000 pasv_max_port=14050 port_enable=YES
If you're running an Amazon EC2 instance with an Elastic IP, you can tell vsftpd what address to send clients for passive connections. (You can also do this without an Elastic IP, just keep in mind that your external address will change when you boot up the instance. Reboots maintain the same external IP.) By default, vsftpd is going to tell the FTP client to use its Amazon private IP address to initiate passive connections, and that causes trouble.
You can set pasv_address to your public IP address, or set passive_address to your public DNS name and passive_addr_resolve to YES. This tells vsftpd to send this address to the client for passive connections. For an EC2 instance with a Public IP Address of 72.44.42.109, and a Public DNS of ec2-72-44-42-109.compute-1.amazonaws.com, you could use either of the following:
pasv_address=72.44.42.109 pasv_addr_resolve=NO
or:
pasv_address=ec2-72-44-42-109.compute-1.amazonaws.com pasv_addr_resolve=YES
Next, we have to launch the vsftpd daemon to service requests:
service vsftpd start
or, if it's already running:
service vsftpd restart
If you want vsftpd to start on boot:
chkconfig vsftpd on
We have to modify the iptables configuration to allow FTP requests to pass through the firewall by adding the following line to /etc/sysconfig/iptables. Don't forget that in addition to ports 20-21, we also have to open the port range for incoming passive connections. Add the following lines to the ACCEPT rule chain (before the DENY rule(s) at the end).
# Accept incoming FTP connections -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT # Allow active FTP -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -p tcp --dport 20 -j ACCEPT # Open ports 14000-14050 for passive FTP -A RH-Firewall-1-INPUT -p tcp --dport 14000:14050 -j ACCEPT
Restart iptables:
service iptables restart
Finally, you'll need to open up FTP access in your Security Group in the EC2 Management Console. For this, you'll want to open up ports 20-21, and ports 14000-14050. (Adjust the latter port range if you have used a different range for passive connections.)
Test your new FTP server by connecting with your favorite FTP client. Any problems? Feel free to leave a comment or Contact Us.
- Tags: Amazon EC2, Cloud Computing, FTP, iptables, Linux, vsftp
Privacy Policy | Terms of Use | Refund & Cancellation Policy
Comments (11)
Chris
However, I couldn't find /etc/sysconfig/iptables, I am using Ubuntu, so whhere should I find it?
Thanks.
John Hobart
Modern distributions of Ubuntu use ufw. Docs for ufw can be found here:
https://help.ubuntu.com/community/UFW
Murta
didn't worked...
John Hobart
Depending on your OS you might be using a different firewall.
What OS are you on?
John
Mike
John Hobart
What OS are you using? This tutorial is for RedHat/Fedora or Oracle Linux.
If you're sure you're using iptables for the firewall, paste the contents of /etc/sysconfig/iptables in here or email it to me at jhobart at synergycode.com. I'd be happy to look at it.
Cheers.
Tony Landa
sudo vi /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [144:12748]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
# Accept incoming FTP connections
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
# Allow active FTP
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -p tcp --dport 20 -j ACCEPT
# Open ports 14000-14050 for passive FTP
-A RH-Firewall-1-INPUT -p tcp --dport 14000:14050 -j ACCEPT
COMMIT
Disclaimer: I am not a firewall or security expert. This was just the solution I was able to figure out after reading several docs online.
Most important was this one: http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables
John Hobart
My personal favorite walkthrough for iptables is, ironically enough, in the Ubuntu documentation Wiki. The stock documentation can be a little intimidating to say the least.
Anyway, here's my favorite tutorial (so far):
https://help.ubuntu.com/community/IptablesHowTo
Carlos
Cheers
John Hobart
Glad to hear it! Thanks for the feedback.
John
Emir Emiroglu
I tried these instructions but after editing iptable file I tried to restart and got this error:
iptables: Applying firewall rules: iptables-restore: line 2 failed
[FAILED]
What does it mean?
King regards,