ANSWER:

You cannot get passive mode working because the FTP server is giving the client its internal IP address (EC2 instances are behind a NAT). Hence the client timeout while trying to connect to the (unroutable…) private address.

If you want to solve the problem server side (thus be able to use passive mode also, not only active mode), should be enough to set the server to actively retrieve his external IP address. For further informations, see http://wiki.filezilla-project.org/Network_Configuration#Passive_mode_2.

Using passive mode can be useful if the client is behind a NAT router not smart enough to understand that an FTP session is starting and an incoming connection to a negotiated PORT has to be accepted.

Useful resource: http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html#TwoTypes

by meden from http://serverfault.com/questions/400479