Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am trying to set up an ftp server that is accessible from the internet.
I have no problems logging into the ftp from other LAN computers, but I can't get a response when trying to log in from another computer on the internet.
My network looks like is:
LAN <-> [eth0] gateway with ftp server [eth1] <-> hardware DSL router <-> internet
The DSL router is set up to do NAT. I have set a rule to forward incoming packets to port 21 to the gateway.
Any ideas where I might be missing a step? Are there any network tools that I can use to check if I'm getting any incoming requests at the gateway's eth1?
I don't have a solution to your problem. But you can use iptables to find the packets that come to a host. Some thing like "iptables -t nat -I PREROUTING -d server_ip -j LOG" should work. If you want you can give protocol and destination port option.
Also I have read some where that ftp uses port 20 for data transfer. Don't know much about this. But opening port 21 should allow you to login to the server.
--Sarin
Thanks all for your suggestions, I'll give them a try when I'm free. Someone on another forum mentioned that ftp works by opening another connection on an arbitrary port for each user. I may have to break open a range of ports for ftp to work if this is the cause of problem.
Rich: I'm using a dynamic DNS service (www.dyndns.org). It rules.
If you are using active ftp with your client software, you will need to open up port 20 as well.
Also ports above 1024 are needed, which ports though is not to tell as the "client" determines the port number.
As far as I know you can tell the client which range of ports to use, so you can control the range of ports to open up in your firewall for ftp communication.
I hope this will help, or lead you to solving your problem.
Originally posted by Chou I may have to break open a range of ports for ftp to work if this is the cause of problem.
That won't be necessary.
If you are using iptables there is a feature called connection tracking. That means you can tell your firewall how to determine what packets belong to which connection. You have to tell it for each protocol (ftp, irc, ...) separately.
For ftp this is done with:
Code:
/sbin/modprobe ip_conntrack_ftp
Now your firewall knows that the extra connections that are made for ftp (called data connections) are related to the ones on port 21.
By adding the following line to your firewall script, you can tell it to allow such traffic:
Code:
iptables -A forward -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
Usually you will need to enable ACTIVE transfers on the FTP client side. This makes connections through routers much easier because the connection opens port 20 for control stuff rather than some abitrary port. The connection tracking in iptables is nice, but it didn't do the job for me. Check out http://www.linuxguruz.org/iptables for some good iptables scripts for FTP servers.
Griffon26: Thanks for the info. While I still can't successfully connect from the internet, it did help me protect my server from the LAN.
TruckStuff: In principle, I'd like to support PASV clients so people won't have to mess with their own firewalls to get active clients to work. Thanks for the suggestion anyway.
As for why I can't connect either way, I'm tempted to blame the hardware router (that sits between the server and the internet) for blocking inbound requests despite the settings to forward ports 20-22 (I can't connect from outside using ssh either).
Is there a diagnostic util I can run on the server that would indicate if someone's trying to connect to a specified port?
Griffon26: Thanks for the info. While I still can't successfully connect from the internet, it did help me protect my server from the LAN.
And here I am, thinking you are trying to protect your computer from the internet
I made a chain called "blocked" in my script and send everything I want to reject to that chain.
So you'll have something like:
Code:
iptables -A FORWARD ... -j ACCEPT
...
iptables -A FORWARD ... -j ACCEPT
iptables -A FORWARD ... -j blocked
The blocked chain could look like this:
Code:
# Reject blocked traffic from within the LAN quietly
# (you don't want to see all windows sharing broadcast packets in your logs)
$IPTABLES -A blocked -i ! $EXT_IF -j REJECT
# Only log everything that gets past the previous line
$IPTABLES -A blocked -s ! $LANSUBNET -m limit -j LOG --log-level 6 --log-prefix "BLOCKED EXT PACKET: "
$IPTABLES -A blocked -s $LANSUBNET -m limit -j LOG --log-level 6 --log-prefix "BLOCKED SPOOFED PACKET: "
$IPTABLES -A blocked -j REJECT
Note that the -m limit parameter will make sure that your syslogd isn't flooded. But as a result of that, not all packets will be logged if there are a lot of them in a short period of time.
Great! Checking the logs and using tcpdump, I managed to debug my network. Also found out my net connection was afflicted with the Curse of the Mysteriously Changing External IP, which seems to happen every hour or so without warning.
Anyway, I can now connect from a remote computer using both passive and active ftp clients without ripping any more holes in my firewall. Thanks all for your help.
Last small problem: when trying to connect to the external IP from an _internal_ computer (on the same LAN as the server), I get "connection refused". Connecting to the server's internal IP still works fine though. Any ideas what might be the problem here?
You probably have to allow traffic to and from the internal interface but addressed to the external IP.
iptables -A INPUT -i $LAN_IF -d $EXT_IP -j somechain
iptables -A OUTPUT -i $LAN_IF -s $EXT_IP -j somechain
As you can see in my iptables script, I created some rules to split up the traffic based on direction, origin and destination.
I have chains for traffic from LAN to internet, LAN to server, server to internet, etc. I added the lines above and replaced 'somechain' in the first line with the chain for LAN to server traffic and 'somechain' in the second line with the chain for server to LAN traffic.
Whether or not to actually allow traffic is determined by the rules for those chains.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.