Pure-FTPd/cPanel on Amazon VPC/EC2

I’ve been recently testing the viability of migrating our datacenter instances into an Amazon VPC/EC2 environment.

Due to the nature of Amazon’s NAT architecture, a few services need to be configured slightly different to work properly. I was experiencing issues connecting to the Pure-FTPd service on an instance running in VPC. I could connect just fine using ACTIVE mode in my FTP client but would continue getting rejected when trying to use PASSIVE mode.

Here is the solution.

As root SSH into your instance.

# cp /etc/pure-ftpd.conf /etc/pure-ftpd.conf.backup
# nano /etc/pure-ftpd.conf

Find the following block:

# Port range for passive connections replies. - for firewalling.

# PassivePortRange          30000 50000

# Force an IP address in PASV/EPSV/SPSV replies. - for NAT.
# Symbolic host names are also accepted for gateways with dynamic IP
# addresses.

# ForcePassiveIP                192.168.0.1

Uncomment PassivePortRange and ForcePassiveIP and replace 127.0.0.1 with your External Elastic IP. Your result should look something like this.

# Port range for passive connections replies. - for firewalling.

PassivePortRange          30000 50000

# Force an IP address in PASV/EPSV/SPSV replies. - for NAT.
# Symbolic host names are also accepted for gateways with dynamic IP
# addresses.

ForcePassiveIP                123.123.123.123

Save and close the file.

Restart the Pure-FTPd service:

# service pure-ftpd restart

Now we need to modify the iptables to allow incoming connections to the PassivePortRange.

# cp /etc/sysconfig/iptables /etc/sysconfig/iptables.backup
# nano /etc/sysconfig/iptables

Add the following lines to the end of the file but before the COMMIT line.

# Passive FTP Fix (NAT/AWS Configuration)
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 30000:50000 -j ACCEPT

Save and close the file.

Restart the iptables service:

# service iptables restart

Log into your AWS console and modify the Security Group associated with the instance you have been modifying. Under the INBOUND tab add a new rule with the following parameters.

Create a new rule: Custom TCP Rule
Port range: 30000-50000
Source: 0.0.0.0/0

Add Rule and Apply Rule Changes.

You should now be able to connect using PASSIVE mode with any FTP client without an issue.