To make sure VSFTPD plays nicely with IPTABLES

Make sure the following is set in /etc/vsftpd/vsftpd.conf

# Turn on SSL
ssl_enable=no

# Allow anonymous users to use secured SSL connections
allow_anon_ssl=NO
 
# All non-anonymous logins are forced to use a secure SSL connection in order to
# send and receive data on data connections.
force_local_data_ssl=yes
 
# All non-anonymous logins are forced to use a secure SSL connection in order to send the password.
force_local_logins_ssl=no

# Permit TLS v1 protocol connections. TLS v1 connections are preferred
#ssl_tlsv1=YES
 
# Permit SSL v2 protocol connections. TLS v1 connections are preferred
#ssl_sslv2=YES
 
# permit SSL v3 protocol connections. TLS v1 connections are preferred
#ssl_sslv3=YES
 
# Specifies the location of the RSA certificate to use for SSL encrypted connections
rsa_cert_file=/etc/vsftpd/vsftpd.pem

require_ssl_reuse=NO
 
anonymous_enable=NO

local_enable=YES

write_enable=YES

local_umask=002

dirmessage_enable=YES

xferlog_enable=YES

connect_from_port_20=YES

xferlog_std_format=no

# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_local_user=YES
#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd/chroot_list
allow_writeable_chroot=YES

pam_service_name=vsftpd

userlist_enable=YES

listen=YES
#implicit_ssl=YES
#listen_port=990
tcp_wrappers=YES

### the following two lines limit passive ftp to use a limited port range
pasv_max_port=4040
pasv_min_port=4000

If you are using iptables add the following lines to /etc/sysconfig/iptables

-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 4000:4040 -j ACCEPT

If you are using ipchains

firewall-cmd --zone=public --add-port=4000-4040/tcp --permanent
firewall-cmd --zone=public --add-service=ftp --permanent
firewall-cmd --reload

Passive FTP is enabled