Not able to upload file from different LAN in Centos

SarahGurung · 03-16-2012, 02:35 AM

We have centos i our server..

Well a client wants to host their website with us...We can upload it form the LAN but it is not possible form different LAN.. What could be the reason?

The iptables -L shows:

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            icmp any 
ACCEPT     esp  --  anywhere             anywhere            
ACCEPT     ah   --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp-data 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

if ftp port 20 is closed how are we able to upload it from the LAN then

acid_kewpie · 03-16-2012, 03:28 AM

upload how?? there are a dozen ways to move a file between two systems.

SarahGurung · 03-16-2012, 03:32 AM

upload using ftp client..

The customer who wants to upload his website is in different country...When we tested by uploading a file from our LAN it worked..

acid_kewpie · 03-16-2012, 03:33 AM

so FTP is obviously a nasty protocol to get through a firewall, in what way does it not work? does it never log in, or do files specifically not transfer? have they tried using active and passive mode? could they use sftp instead for a much simpler experience?

your rulebase in "iptables -vnL" format might be more useful.

SarahGurung · 03-16-2012, 03:35 AM

how do we do that?

acid_kewpie · 03-16-2012, 03:54 AM

do what?

SarahGurung · 03-16-2012, 04:03 AM

ya they can login but they arent able to upload their site..

u told abt passive and active mode and also abt ssftp so was asking abt dat...

acid_kewpie · 03-16-2012, 04:09 AM

abt? really?

if this server has a single interface then it looks like the issue for ftp-data connections failing is likely to be down to something else between them and you that you don't have locally, your public firewall, or theirs etc. you can check lsmod to see that the ftp conntrack module is loaded, but if it's working for you it sounds like it already is.

Again, your full rule base would possibly help here.

SarahGurung · 03-16-2012, 04:26 AM

Well ya we can upload it using their username and password from our LAN but they are not able to upload it from there..We don't have any firewalls out here though but i guess ftp port 20 has been blocked somewhere in the acl of router for outsiders..

And by 'full rule base' do you mean the iptables rules?

acid_kewpie · 03-16-2012, 04:31 AM

Quote:

your rulebase in "iptables -vnL" format might be more useful.

FTP port 20 is not a destination port in FTP. In active mode that is the *SOURCE* port of the connection created by the *SERVER* to the client. In passive mode, it's not used, unless the ftp server is explicitly tethered to use that as the data port. So it's not likely to be that it's blocked, but that a device is not inspecting the ftp control traffic to track the data connections validity, so being rejected implicitly.

http://www.linuxhowtos.org/Misc/ftpmodes.htm

SarahGurung · 03-16-2012, 04:56 AM

That means when we login in directly we are using active ftp right? And for that in our iptables rule we should give it as sport instead of dport right?

Well can you please have a look at my iptables rule above and comment on it because it's given as sport so..

acid_kewpie · 03-16-2012, 04:58 AM

no, the login / control data flow is identical, it's how the additional ftp data connection is established, which you don't do yourself, is the difference. With sftp etc, these things do not exist, so if sftp is available, they would do better to use that instead.

yet again you've not provided the rulebase as requested, but in reality it can't really matter. if it works for you, the server rulebase is not the issue.

SarahGurung · 03-16-2012, 05:06 AM

well de output of ipables -vnL is:

Code:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
2624K  330M RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 2016K packets, 5687M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 2088 2613K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
53908 3862K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 255 
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251         udp dpt:5353 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:631 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:631 
2487K  319M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
 2241  133K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21 
 2082  125K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
  357 21384 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443 
74933 4093K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
   17   988 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:20 
 1155 98813 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Is it in our configuration part to login either via active or passive?

And it also means ftp port 20 is dport only right?

acid_kewpie · 03-16-2012, 05:15 AM

you can see that the counters there say just about nothing has hit port 20. that line is not relevant to the ftp environment. files already sent over ftp will be being covered by the "RELATED" entry.

yet again though, the problem is likely to be elsewhere. You're using this box fine from where you are, and the rulebase makes no distinction between you or anyone else.

SarahGurung · 03-16-2012, 05:31 AM

oh k k... Thanks..

Well my iptables rules contain:

Code:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

So is the rules ok or should i make it to sport for ftp port 20?

And i have read it somewhere that we should add the pasv_max_port and pasv_min_port mentioned in the vsftpd.conf file along with the tcp port 20 and 21 in iptables...how far is that true?