I’ve been recently testing the viability of migrating our datacenter instances into an Amazon VPC/EC2 environment. Due to the nature of Amazon’s NAT architecture, a few services need to be configured slightly different to work properly. I was experiencing issues connecting to the Pure-FTPd service on an instance running in VPC. I could connect just fine using `ACTIVE` mode in my FTP client but would continue getting rejected when trying to use `PASSIVE` mode. Here is the solution. As `root` SSH into your instance. ```shell # cp /etc/pure-ftpd.conf /etc/pure-ftpd.conf.backup # nano /etc/pure-ftpd.conf ``` Find the following block: ```shell # Port range for passive connections replies. - for firewalling. # PassivePortRange 30000 50000 # Force an IP address in PASV/EPSV/SPSV replies. - for NAT. # Symbolic host names are also accepted for gateways with dynamic IP # addresses. # ForcePassiveIP 192.168.0.1 ``` Uncomment `PassivePortRange` and `ForcePassiveIP` and replace `127.0.0.1` with your External Elastic IP. Your result should look something like this. ```shell # Port range for passive connections replies. - for firewalling. PassivePortRange 30000 50000 # Force an IP address in PASV/EPSV/SPSV replies. - for NAT. # Symbolic host names are also accepted for gateways with dynamic IP # addresses. ForcePassiveIP 123.123.123.123 ``` Save and close the file. Restart the Pure-FTPd service: ```shell # service pure-ftpd restart ``` Now we need to modify the `iptables` to allow incoming connections to the `PassivePortRange`. ```shell # cp /etc/sysconfig/iptables /etc/sysconfig/iptables.backup # nano /etc/sysconfig/iptables ``` Add the following lines to the end of the file but **before** the `COMMIT` line. ```shell # Passive FTP Fix (NAT/AWS Configuration) -A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 30000:50000 -j ACCEPT ``` Save and close the file. Restart the iptables service: ```shell # service iptables restart ``` Log into your AWS console and modify the Security Group associated with the instance you have been modifying. Under the `INBOUND` tab add a new rule with the following parameters. **Create a new rule:** `Custom TCP Rule` **Port range:** `30000-50000` **Source:** `0.0.0.0/0` `Add Rule` and `Apply Rule Changes`. You should now be able to connect using `PASSIVE` mode with any FTP client without an issue.