LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-03-2014, 07:19 AM   #1
manpreetmails
LQ Newbie
 
Registered: Apr 2014
Posts: 6

Rep: Reputation: Disabled
Question FTP "no route to host"


Server - 192.168.1.102
Client - 192.168.1.100
Not able to connect ftp error "no route to host".
It's a firewall problem. When I am allowing ftp thru lokkit command then it's working but not working when allowing thru iptables cmd
Code:
iptables -t filter -A INPUT -s 192.168.0.0/24 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
please advise if i am using right iptables cmd. I want to enable ftp only for 192.168.0.0/24 and can't do it using lokkit cmd i think. Please help.
 
Old 04-03-2014, 07:28 AM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,404

Rep: Reputation: Disabled
That rule lets through the initial TCP SYN packet to port 21. Do you have another rule allowing the remaining session traffic? Also, how about the data connection to/from port 20?
 
1 members found this post helpful.
Old 04-03-2014, 07:48 AM   #3
manpreetmails
LQ Newbie
 
Registered: Apr 2014
Posts: 6

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Ser Olmy View Post
That rule lets through the initial TCP SYN packet to port 21. Do you have another rule allowing the remaining session traffic? Also, how about the data connection to/from port 20?
I didn't apply any other rule. I don't know iptables. Just find that cmd in google to allow ftp. How to check connection for port 20 ?
FYI... My firewall is enabled and selinux is in enforce mode.
 
Old 04-03-2014, 07:54 AM   #4
mddnix
Member
 
Registered: Mar 2013
Distribution: Redhat, Ubuntu
Posts: 516

Rep: Reputation: 139Reputation: 139
Its important where the rule is added. for example my redhat testbox's iptables looks like this:
Code:
# iptables -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
2    ACCEPT     icmp --  anywhere             anywhere            
3    ACCEPT     all  --  anywhere             anywhere            
4    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
5    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http 
6    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 
7    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp 
8    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
If you add the rule after 8th line (after REJECT), it doesn't work, which it seems is your case. Try following, for example, i would do this

Code:
# iptables -I INPUT 8 -m state --state NEW -m tcp -p tcp -s 192.168.0.0/24 --dport 21 -j ACCEPT

# iptables -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
2    ACCEPT     icmp --  anywhere             anywhere            
3    ACCEPT     all  --  anywhere             anywhere            
4    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
5    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http 
6    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 
7    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp 
8    ACCEPT     tcp  --  192.168.0.0/24       anywhere            state NEW tcp dpt:ftp 
9    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

# service iptables save

Last edited by mddnix; 04-03-2014 at 07:55 AM.
 
Old 04-03-2014, 08:09 AM   #5
manpreetmails
LQ Newbie
 
Registered: Apr 2014
Posts: 6

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by mddesai View Post
Its important where the rule is added. for example my redhat testbox's iptables looks like this:
Code:
# iptables -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
2    ACCEPT     icmp --  anywhere             anywhere            
3    ACCEPT     all  --  anywhere             anywhere            
4    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
5    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http 
6    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 
7    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp 
8    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
If you add the rule after 8th line (after REJECT), it doesn't work, which it seems is your case. Try following, for example, i would do this

Code:
# iptables -I INPUT 8 -m state --state NEW -m tcp -p tcp -s 192.168.0.0/24 --dport 21 -j ACCEPT

# iptables -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
2    ACCEPT     icmp --  anywhere             anywhere            
3    ACCEPT     all  --  anywhere             anywhere            
4    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
5    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http 
6    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 
7    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp 
8    ACCEPT     tcp  --  192.168.0.0/24       anywhere            state NEW tcp dpt:ftp 
9    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

# service iptables save
Hi, I did the same.It.s not working yet. Please find outputs--

Code:
[root@server1 ~]# iptables -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    RH-Firewall-1-INPUT  all  --  anywhere             anywhere            
2    ACCEPT     tcp  --  192.168.0.0/24       anywhere            state NEW tcp dpt:ftp 
3    ACCEPT     tcp  --  192.168.0.0/24       anywhere            state NEW tcp dpt:ftp 
4    ACCEPT     tcp  --  192.168.0.0/24       anywhere            state NEW tcp dpt:ftp

Code:
[root@server1 ~]# iptables -I INPUT 8 -m state --state NEW -m tcp -p tcp -s 192.168.0.0/24 --dport 21 -j ACCEPT
iptables: Index of insertion too big
It's not working yet

Last edited by manpreetmails; 04-03-2014 at 08:23 AM. Reason: it's not working yet
 
Old 04-03-2014, 09:14 AM   #6
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,404

Rep: Reputation: Disabled
The policy for your INPUT chain is "ACCEPT", which means that all traffic not explicitly blocked by a rule will be permitted. Since there are no blocking rules in your INPUT chain, the problem must be elsewhere, like in the user-defined "RH-Firewall-1-INPUT" chain.

Please post the output from:
Code:
iptables-save -t filter

Last edited by Ser Olmy; 04-03-2014 at 09:15 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh works outbound, but i get "no route to host" err inbound kline Linux - Software 6 12-10-2012 04:35 PM
FTP server "No Route to Host" KinnowGrower Linux - Server 10 08-05-2008 11:38 PM
shorewall routing issue: "no route to host" from dmz spargonaut Linux - Networking 0 06-07-2007 11:09 AM
a/p connected, route correct, ping router: "Destination Host Unreachable". DebianEtch shinyblue Linux - Wireless Networking 1 08-29-2006 10:34 PM
Permanently set "route add" -host and default gw sacants Linux - Newbie 1 07-18-2003 05:04 AM


All times are GMT -5. The time now is 10:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration