I’ve been recently testing the viability of migrating our datacenter instances into an Amazon VPC/EC2 environment.
Due to the nature of Amazon’s NAT architecture, a few services need to be configured slightly different to work properly. I was experiencing issues connecting to the Pure-FTPd service on an instance running in VPC. I could connect just fine using `ACTIVE` mode in my FTP client but would continue getting rejected when trying to use `PASSIVE` mode.
Here is the solution.
As `root` SSH into your instance.
```shell
# cp /etc/pure-ftpd.conf /etc/pure-ftpd.conf.backup
# nano /etc/pure-ftpd.conf
```
Find the following block:
```shell
# Port range for passive connections replies. - for firewalling.
# PassivePortRange 30000 50000
# Force an IP address in PASV/EPSV/SPSV replies. - for NAT.
# Symbolic host names are also accepted for gateways with dynamic IP
# addresses.
# ForcePassiveIP 192.168.0.1
```
Uncomment `PassivePortRange` and `ForcePassiveIP` and replace `127.0.0.1` with your External Elastic IP. Your result should look something like this.
```shell
# Port range for passive connections replies. - for firewalling.
PassivePortRange 30000 50000
# Force an IP address in PASV/EPSV/SPSV replies. - for NAT.
# Symbolic host names are also accepted for gateways with dynamic IP
# addresses.
ForcePassiveIP 123.123.123.123
```
Save and close the file.
Restart the Pure-FTPd service:
```shell
# service pure-ftpd restart
```
Now we need to modify the `iptables` to allow incoming connections to the `PassivePortRange`.
```shell
# cp /etc/sysconfig/iptables /etc/sysconfig/iptables.backup
# nano /etc/sysconfig/iptables
```
Add the following lines to the end of the file but **before** the `COMMIT` line.
```shell
# Passive FTP Fix (NAT/AWS Configuration)
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 30000:50000 -j ACCEPT
```
Save and close the file.
Restart the iptables service:
```shell
# service iptables restart
```
Log into your AWS console and modify the Security Group associated with the instance you have been modifying. Under the `INBOUND` tab add a new rule with the following parameters.
**Create a new rule:** `Custom TCP Rule`
**Port range:** `30000-50000`
**Source:** `0.0.0.0/0`
`Add Rule` and `Apply Rule Changes`.
You should now be able to connect using `PASSIVE` mode with any FTP client without an issue.