LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-16-2012, 03:35 AM   #1
SarahGurung
Member
 
Registered: Jul 2011
Posts: 322

Rep: Reputation: Disabled
Not able to upload file from different LAN in Centos


We have centos i our server..

Well a client wants to host their website with us...We can upload it form the LAN but it is not possible form different LAN.. What could be the reason?

The iptables -L shows:
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            icmp any 
ACCEPT     esp  --  anywhere             anywhere            
ACCEPT     ah   --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp-data 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

if ftp port 20 is closed how are we able to upload it from the LAN then
 
Old 03-16-2012, 04:28 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
upload how?? there are a dozen ways to move a file between two systems.
 
Old 03-16-2012, 04:32 AM   #3
SarahGurung
Member
 
Registered: Jul 2011
Posts: 322

Original Poster
Rep: Reputation: Disabled
upload using ftp client..

The customer who wants to upload his website is in different country...When we tested by uploading a file from our LAN it worked..
 
Old 03-16-2012, 04:33 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
so FTP is obviously a nasty protocol to get through a firewall, in what way does it not work? does it never log in, or do files specifically not transfer? have they tried using active and passive mode? could they use sftp instead for a much simpler experience?

your rulebase in "iptables -vnL" format might be more useful.
 
Old 03-16-2012, 04:35 AM   #5
SarahGurung
Member
 
Registered: Jul 2011
Posts: 322

Original Poster
Rep: Reputation: Disabled
how do we do that?
 
Old 03-16-2012, 04:54 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
do what?
 
Old 03-16-2012, 05:03 AM   #7
SarahGurung
Member
 
Registered: Jul 2011
Posts: 322

Original Poster
Rep: Reputation: Disabled
ya they can login but they arent able to upload their site..

u told abt passive and active mode and also abt ssftp so was asking abt dat...
 
Old 03-16-2012, 05:09 AM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
abt? really?

if this server has a single interface then it looks like the issue for ftp-data connections failing is likely to be down to something else between them and you that you don't have locally, your public firewall, or theirs etc. you can check lsmod to see that the ftp conntrack module is loaded, but if it's working for you it sounds like it already is.

Again, your full rule base would possibly help here.
 
Old 03-16-2012, 05:26 AM   #9
SarahGurung
Member
 
Registered: Jul 2011
Posts: 322

Original Poster
Rep: Reputation: Disabled
Well ya we can upload it using their username and password from our LAN but they are not able to upload it from there..We don't have any firewalls out here though but i guess ftp port 20 has been blocked somewhere in the acl of router for outsiders..

And by 'full rule base' do you mean the iptables rules?
 
Old 03-16-2012, 05:31 AM   #10
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
Quote:
your rulebase in "iptables -vnL" format might be more useful.
FTP port 20 is not a destination port in FTP. In active mode that is the *SOURCE* port of the connection created by the *SERVER* to the client. In passive mode, it's not used, unless the ftp server is explicitly tethered to use that as the data port. So it's not likely to be that it's blocked, but that a device is not inspecting the ftp control traffic to track the data connections validity, so being rejected implicitly.

http://www.linuxhowtos.org/Misc/ftpmodes.htm
 
Old 03-16-2012, 05:56 AM   #11
SarahGurung
Member
 
Registered: Jul 2011
Posts: 322

Original Poster
Rep: Reputation: Disabled
That means when we login in directly we are using active ftp right? And for that in our iptables rule we should give it as sport instead of dport right?

Well can you please have a look at my iptables rule above and comment on it because it's given as sport so..
 
Old 03-16-2012, 05:58 AM   #12
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
no, the login / control data flow is identical, it's how the additional ftp data connection is established, which you don't do yourself, is the difference. With sftp etc, these things do not exist, so if sftp is available, they would do better to use that instead.

yet again you've not provided the rulebase as requested, but in reality it can't really matter. if it works for you, the server rulebase is not the issue.
 
Old 03-16-2012, 06:06 AM   #13
SarahGurung
Member
 
Registered: Jul 2011
Posts: 322

Original Poster
Rep: Reputation: Disabled
well de output of ipables -vnL is:

Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
2624K  330M RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 2016K packets, 5687M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 2088 2613K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
53908 3862K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 255 
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251         udp dpt:5353 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:631 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:631 
2487K  319M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
 2241  133K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21 
 2082  125K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
  357 21384 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443 
74933 4093K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
   17   988 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:20 
 1155 98813 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
Is it in our configuration part to login either via active or passive?

And it also means ftp port 20 is dport only right?
 
Old 03-16-2012, 06:15 AM   #14
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
you can see that the counters there say just about nothing has hit port 20. that line is not relevant to the ftp environment. files already sent over ftp will be being covered by the "RELATED" entry.

yet again though, the problem is likely to be elsewhere. You're using this box fine from where you are, and the rulebase makes no distinction between you or anyone else.
 
Old 03-16-2012, 06:31 AM   #15
SarahGurung
Member
 
Registered: Jul 2011
Posts: 322

Original Poster
Rep: Reputation: Disabled
oh k k... Thanks..

Well my iptables rules contain:

Code:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
So is the rules ok or should i make it to sport for ftp port 20?

And i have read it somewhere that we should add the pasv_max_port and pasv_min_port mentioned in the vsftpd.conf file along with the tcp port 20 and 21 in iptables...how far is that true?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftp password upload wan ano download lan help? carpman Linux - Server 1 07-29-2010 12:10 PM
Upload file to ftp server -vsftp- but can not delete or change the file once uploaded murattas6 Linux - Server 2 06-26-2009 07:00 AM
FTP download/upload at LAN (RHEL 5) RazifJunaidi Linux - Networking 3 04-18-2008 09:38 AM
CentOS 5 + vsftpd + upload = error diezzler Linux - Networking 3 01-18-2008 11:59 AM
web server (fedora core 5) became read-only file system after i upload a file nggs8411 Linux - Server 1 03-26-2007 10:23 AM


All times are GMT -5. The time now is 02:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration