ftp login hangs

TreeHugger · 11-10-2004, 05:19 AM

I have a bad problem with ftp. When I try to login to my webserver out on the net from my linux box on my lan, it hangs. I get:

Code:

[adam@gondor adam]$ ftp 212.227.119.104
Connected to 212.227.119.104 (212.227.119.104).
220 FTP Server ready.
Name (212.227.119.104:adam): myusername
421 Login Timeout (30 seconds): closing control connection.
Login failed.
No control connection for command: Permission denied
ftp>

Basically it hangs after I enter the user name.

Strangely, it works from my windows box on the same LAN.

My LAN is configured so:

gateway box eth0 IP: 192.168.1.254
linux box IP: 192.168.1.253
win box IP: 192.168.1.252

The linux box and the win box point to the gateway IP as a gateway. The gateway has iptables and a modem on eth1 with DHCP setup.

Any clues where or what or why? Thanks!!!

Rino · 11-10-2004, 07:13 AM

One question.
The server ftp requires a password for your user.
Notes: the ftp command run in tcp 20 and the data run in tcp 21, may be possible that you need run a module for ftp.

TreeHugger · 11-10-2004, 08:45 AM

Yes it definitely requires a password. The windows box login doesnt hang and asks for the password straight away. What do you mean about tcp 21?

machineghost · 11-10-2004, 04:33 PM

I'm having a very similiar problem, only my FT hangs after I enter the password. It only does this when I enter the correct password (if I enter the incorrect one the ftp server responds immediately). It happens no matter what FTP client I use (I've tried five) on Linux, but on Windows (from the same machine, dual-boot) I can connect just fine. Anyone have any suggestions, this is really frustrating.

P.S. I tried disabling IPv6, to no avail.

TreeHugger · 11-11-2004, 05:38 AM

Anybody?

This is looking grimmer and grimmer.

n0sr · 11-11-2004, 06:18 AM

Are you running any firewalling stuff? Sounds like it's going into passive mode then timing out. You log in using port 21 and I think it is switching to port 22 after you authenticate.

Oh yeah, you might check /etc/hosts.allow and /etc/hosts.deny to make sure there isn't anything blocking local addresses.

TreeHugger · 11-11-2004, 09:38 AM

OK, my hosts.deny and hosts.allow are both empty.

I am running iptables, and below is part of my script. However I have run this for a year without changing it - or at least I think I have. But now I'm looking at it again, I'm not so sure that I'm allowing the right stuff back in on the tcp2 chain. I've removed parts of the script that aren't directly related to the ftp.

Code:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -N tcp_bad
echo "    - drop non-SYN packets"
iptables -A tcp_bad -p tcp ! --syn -m state --state NEW -j DROP
echo "    - do some checks for obviously spoofed IP's"
iptables -A tcp_bad -i eth1 -s 192.168.0.0/16 -j DROP
iptables -A tcp_bad -i eth1 -s 10.0.0.0/8 -j DROP
iptables -A tcp_bad -i eth1 -s 172.16.0.0/12 -j DROP

echo "   setting up 2nd tcp chain for TCP connections.."
echo "    - accepting SYN, ESTABLISHED, RELATED"
iptables -N tcp2
iptables -A tcp2 -p TCP --syn -j ACCEPT
iptables -A tcp2 -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A tcp2 -p TCP -j DROP

echo "   setting up 1st chain for TCP.."
iptables -N tcp_ok
iptables -A tcp_ok -p TCP -s 0/0 --dport 21 -j tcp2
iptables -A tcp_ok -p TCP -s 0/0 --dport 22 -j tcp2
iptables -A tcp_ok -p TCP -s 0/0 --dport 80 -j tcp2
iptables -A tcp_ok -p TCP -s 0/0 --dport 113 -j tcp2

echo "   setting up INPUT chain.."
echo "    - first filter thro tcp_bad..."
iptables -A INPUT -p TCP -j tcp_bad
iptables -A INPUT -p TCP -i eth1 -j tcp_ok
iptables -A INPUT -p ICMP -i eth1 -j icmp_ok
iptables -A INPUT -p ICMP -i eth1 -j icmp_ok
iptables -A INPUT -p UDP -i eth1 -j udp_ok
iptables -A INPUT -p ALL -i lo -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.1.254 -j ACCEPT
iptables -A INPUT -p ALL -i eth0 -s 192.168.1.0/8 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "   setting up OUTPUT chain.."
iptables -A OUTPUT -p TCP -j tcp_bad
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.1.254 -j ACCEPT
iptables -A OUTPUT -p ALL -o eth0 -j ACCEPT
iptables -A OUTPUT -p ALL -o eth1 -j ACCEPT

echo -e "\nfirewall done.\n"