Not able to upload file from different LAN in Centos
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Not able to upload file from different LAN in Centos
We have centos i our server..
Well a client wants to host their website with us...We can upload it form the LAN but it is not possible form different LAN.. What could be the reason?
The iptables -L shows:
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp-data
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
if ftp port 20 is closed how are we able to upload it from the LAN then
so FTP is obviously a nasty protocol to get through a firewall, in what way does it not work? does it never log in, or do files specifically not transfer? have they tried using active and passive mode? could they use sftp instead for a much simpler experience?
your rulebase in "iptables -vnL" format might be more useful.
if this server has a single interface then it looks like the issue for ftp-data connections failing is likely to be down to something else between them and you that you don't have locally, your public firewall, or theirs etc. you can check lsmod to see that the ftp conntrack module is loaded, but if it's working for you it sounds like it already is.
Again, your full rule base would possibly help here.
Well ya we can upload it using their username and password from our LAN but they are not able to upload it from there..We don't have any firewalls out here though but i guess ftp port 20 has been blocked somewhere in the acl of router for outsiders..
And by 'full rule base' do you mean the iptables rules?
your rulebase in "iptables -vnL" format might be more useful.
FTP port 20 is not a destination port in FTP. In active mode that is the *SOURCE* port of the connection created by the *SERVER* to the client. In passive mode, it's not used, unless the ftp server is explicitly tethered to use that as the data port. So it's not likely to be that it's blocked, but that a device is not inspecting the ftp control traffic to track the data connections validity, so being rejected implicitly.
That means when we login in directly we are using active ftp right? And for that in our iptables rule we should give it as sport instead of dport right?
Well can you please have a look at my iptables rule above and comment on it because it's given as sport so..
no, the login / control data flow is identical, it's how the additional ftp data connection is established, which you don't do yourself, is the difference. With sftp etc, these things do not exist, so if sftp is available, they would do better to use that instead.
yet again you've not provided the rulebase as requested, but in reality it can't really matter. if it works for you, the server rulebase is not the issue.
you can see that the counters there say just about nothing has hit port 20. that line is not relevant to the ftp environment. files already sent over ftp will be being covered by the "RELATED" entry.
yet again though, the problem is likely to be elsewhere. You're using this box fine from where you are, and the rulebase makes no distinction between you or anyone else.
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
So is the rules ok or should i make it to sport for ftp port 20?
And i have read it somewhere that we should add the pasv_max_port and pasv_min_port mentioned in the vsftpd.conf file along with the tcp port 20 and 21 in iptables...how far is that true?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.