FTP between two linux systems inside a LAN

lucasito · 11-06-2009, 05:34 PM

Hi.
I have searched for hours and didnt found something which is surely not so complicated.

I want to transfer files between my two coputers (both linux Fedora) via ftp. I dont have any interest on remote access from outside into my lan. I can access from both machines remote ftp machines.

I have installed vsftpd on both. I can do ftp on localhost without problems.

When i try to do ftp on the other machine, i get allways "no route to host".

I can do ssh on the other machine from both machines.

I have no idea about firewalls, iptables and so on, so I need simple instructions, please (do this, do that, but please no theoretical things).

My network:
Machine 1: walter (192.168.2.10), fedora 9
Machine 2: egon (192.168.2.11), fedora 10
I have a modem-router Siemens, both are wire connected to the router.

Thank you very much.

wfh · 11-06-2009, 05:58 PM

Quote:

Originally Posted by lucasito

I can do ssh on the other machine from both machines.

I have no idea about firewalls, iptables and so on, so I need simple instructions

Simple instructions:

http://www.linuxhomenetworking.com/w...atus_of_VSFTPD

If this doesn't work, we can try looking at your firewall.

Install 'nmap'

Then do the following *FROM BOTH MACHINES*:

Code:

nmap -sT -P0 192.168.2.10 port 20-21
nmap -sT -P0 192.168.2.11 port 20-21

Then please post the results from each scan.

bartonski · 11-06-2009, 06:03 PM

"no route to host" is a generic message indicating a network issue; it's not specific to FTP.

Run "/sbin/ifconfig" on both machines. Post results.

On each machine, ping the other both via host name and ip address. Post results.

run 'route' on both machines. Post results.

Also, are your IP addresses assigned by the router, or did you set them yourself?

Each time you post the results, copy and paste the actual text directly from the command line, and make sure that you use the 'code' tags here on linuxquestions.org; this makes the results much more legible.

lucasito · 11-06-2009, 07:25 PM

I had been already at that link some hours ago. I found it very helpful to install vsftpd, but it did not solve my problem.

Quote:

nmap -sT -P0 192.168.2.10 port 20-21
nmap -sT -P0 192.168.2.11 port 20-21

On 192.168.2.10:

Code:

$ /usr/bin/nmap -sT -P0 192.168.2.10 port 20-21
Starting Nmap 4.53 ( http://insecure.org ) at 2009-11-07 02:20 CET
Warning: Hostname port resolves to 2 IPs. Using 62.157.x.x.
Invalid target host specification: 20-21
QUITTING!

$ /usr/bin/nmap -sT -P0 192.168.2.11 port 20-21
Starting Nmap 4.53 ( http://insecure.org ) at 2009-11-07 02:21 CET
Warning: Hostname port resolves to 2 IPs. Using 62.157.x.x.
Invalid target host specification: 20-21

On 192.168.2.11:

Code:

$ /usr/bin/nmap -sT -P0 192.168.2.10 port 20-21
Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-07 02:28 CET
Warning: Hostname port resolves to 2 IPs. Using 62.157.x.x.
Invalid target host specification: 20-21
QUITTING!
$ /usr/bin/nmap -sT -P0 192.168.2.11 port 20-21
Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-07 02:28 CET
Warning: Hostname port resolves to 2 IPs. Using 80.156.86.78.
Invalid target host specification: 20-21
QUITTING!

Quote:

Run "/sbin/ifconfig" on both machines. Post results.

192.168.2.10

Code:

$ ifconfig
eth0      Link encap:Ethernet  HWaddr 00:08:A1:4F:D5:A8
          inet addr:192.168.2.10  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::208:a1ff:fe4f:d5a8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:134715 errors:0 dropped:0 overruns:0 frame:0
          TX packets:115306 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:122771186 (117.0 MiB)  TX bytes:13655972 (13.0 MiB)
          Interrupt:16

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:217888 errors:0 dropped:0 overruns:0 frame:0
          TX packets:217888 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:27320332 (26.0 MiB)  TX bytes:27320332 (26.0 MiB)

192.168.2.11

Code:

$ ifconfig
eth0      Link encap:Ethernet  HWaddr 00:14:0B:02:11:31
          inet addr:192.168.2.11  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::214:bff:fe02:1131/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:116474 errors:0 dropped:0 overruns:0 frame:0
          TX packets:106610 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:166352517 (158.6 MiB)  TX bytes:8134952 (7.7 MiB)
          Interrupt:20 Base address:0xe000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:40 errors:0 dropped:0 overruns:0 frame:0
          TX packets:40 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4491 (4.3 KiB)  TX bytes:4491 (4.3 KiB)

Quote:

On each machine, ping the other both via host name and ip address. Post results.

10 from 11:

Code:

PING 192.168.2.10 (192.168.2.10) 56(84) bytes of data.
64 bytes from 192.168.2.10: icmp_seq=1 ttl=64 time=0.416 ms
64 bytes from 192.168.2.10: icmp_seq=2 ttl=64 time=0.187 ms
64 bytes from 192.168.2.10: icmp_seq=3 ttl=64 time=0.217 ms
64 bytes from 192.168.2.10: icmp_seq=4 ttl=64 time=0.209 ms
64 bytes from 192.168.2.10: icmp_seq=5 ttl=64 time=0.214 ms
64 bytes from 192.168.2.10: icmp_seq=6 ttl=64 time=0.228 ms
^C
--- 192.168.2.10 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5144ms
rtt min/avg/max/mdev = 0.187/0.245/0.416/0.077 ms

11 from 10:

Code:

PING 192.168.2.10 (192.168.2.10) 56(84) bytes of data.
64 bytes from 192.168.2.10: icmp_seq=1 ttl=64 time=0.067 ms
64 bytes from 192.168.2.10: icmp_seq=2 ttl=64 time=0.070 ms
64 bytes from 192.168.2.10: icmp_seq=3 ttl=64 time=0.068 ms
^C
--- 192.168.2.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2844ms
rtt min/avg/max/mdev = 0.067/0.068/0.070/0.006 ms

Quote:

run 'route' on both machines. Post results.

10:

Code:

$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.0     *               255.255.255.0   U     0      0        0 eth0
default         192.168.2.2     0.0.0.0         UG    0      0        0 eth0

11:

Code:

$ route
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.0     *               255.255.255.0   U     1      0        0 eth0
default         192.168.2.2     0.0.0.0         UG    0      0        0 eth0

Quote:

Also, are your IP addresses assigned by the router, or did you set them yourself?

The router assigns them, but always the same via mac address. The router is 192.168.2.2

dxqcanada · 11-06-2009, 07:38 PM

Quote:

Originally Posted by lucasito

I can do ssh on the other machine from both machines

OK, so you do have TCP/IP connectivity from one host to the other.
... so only FTP gets a "no route to host"

Last time I saw a post like that ... I think it was caused by IP Filtering ... it was posted within the last couple of days.

lucasito · 11-07-2009, 06:42 AM

I have found this:

http://www.linuxquestions.org/questi...on-lan-104684/

I have added on /etc/sysconfig/iptables what is specified at that link at the bottom, but nothing. The /etc/sysconfig/iptables look like this:

On 192.168.2.10:

Code:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -s 192.168.2.0/24 -d 192.168.2.10 -m tcp --dport 21 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

On 192.168.2.11:

Code:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -s 192.168.2.0/24 -d 192.168.2.11 -m tcp --dport 21 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

The red line is what i added following the link above. I tried on both machines all combinations of the option -d (I mean, that I tried with both 2.10 and 2.11 in all possible combinations). I did restart the iptables after each modification. Nothing, no route to host.

The iptables -L says:
On 192.168.2.10:

Code:

$ iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  192.168.2.0/24       192.168.2.11        tcp dpt:ftp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

On 192.168.2.11:

Code:

$ iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  192.168.2.0/24       192.168.2.10        tcp dpt:ftp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

luck.anshu · 11-07-2009, 08:30 AM

Do one thing:

1st of all stop your iptables sarvice and check the connectivity:
# service iptables stop

If it works fine then flush your iptables and then save iptables service
# iptables -F
# iptables -F -t nat
# iptables -F -t mangle
# service iptables save

bartonski · 11-07-2009, 01:01 PM

If you're running FTP across a firewall, there are a few things that you need to be aware of: a ftp server uses two ports. One port is the 'control port' usually port 21, used for sending and receiving FTP commands. The other port is the 'data port' on port 20.

The client side is more complicated; the ftp server will send commands and data back to unprivileged ports on the client (ports greater than 1023). Exactly how this is handled depends on whether you are in active or passive mode. Check http://slacksite.com/other/ftp.html for a nice clear explanation.

Given all of these intricacies, you may want to consider using SFTP instead of FTP. It runs on port 22, it's part of the OpenSSH suite, it's secure, and it looks and feels just like FTP.

nimnull22 · 11-07-2009, 01:12 PM

One more information:
http://www.linuxquestions.org/questi...ive-ftp-22127/

tredegar · 11-07-2009, 01:39 PM

Maybe you could make this all a lot simpler:

I don't run any firewalls on my LAN, because I trust the machines on my LAN.

I do run a firewall on my modem/router.

So the Big Bad Interweb is firewalled, but my LAN is trusted and trusting.

Works for me.

BTW, if you are running KDE then the fish://username@LAN_HostName protocol in konqueror is awesome. You just drag & drop files between PCs. You need to have ssh installed though (easy enough).

wfh · 11-07-2009, 09:52 PM

Quote:

Originally Posted by lucasito

On 192.168.2.10:

Code:

$ /usr/bin/nmap -sT -P0 192.168.2.10 port 20-21
Starting Nmap 4.53 ( http://insecure.org ) at 2009-11-07 02:20 CET
Warning: Hostname port resolves to 2 IPs. Using 62.157.x.x.
Invalid target host specification: 20-21
QUITTING!

Sorry, I gave you bad syntax.....should have said:

Code:

/usr/bin/nmap -sT -P0 192.168.2.10 -p 20-21

But if you are getting two hosts answering on arp requests for 192.168.2.10, then your screwed.

Is this just a simple networking problem? Are you configured cleanly? Could you have an entry in /etc/hosts that is in conflict or something?

bartonski · 11-07-2009, 10:30 PM

Quote:

Originally Posted by lucasito

11 from 10:

Code:

PING 192.168.2.10 (192.168.2.10) 56(84) bytes of data.
64 bytes from 192.168.2.10: icmp_seq=1 ttl=64 time=0.067 ms
64 bytes from 192.168.2.10: icmp_seq=2 ttl=64 time=0.070 ms
64 bytes from 192.168.2.10: icmp_seq=3 ttl=64 time=0.068 ms
^C
--- 192.168.2.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2844ms
rtt min/avg/max/mdev = 0.067/0.068/0.070/0.006 ms

Umm... I figured that this was a typo, but on the outside chance that you've got an IP address conflict or something, can you re-run the ping from 192.168.2.10 to .11?