LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices



Reply
 
Search this Thread
Old 02-03-2004, 12:09 PM   #1
AmdMhz
Member
 
Registered: Jan 2004
Location: Indiana
Distribution: Debian, OpenSUSE
Posts: 142

Rep: Reputation: 15
Configuring FTP in Red Hat


Hi all. I have FTP running and can connect on on local machine. Any other machine on my network can not do to connect refused which means port 21 is no enabled on my linux box. For the life I me I can not find what file I need to edit to enble port 21. I looked in my linux bible and still do not understand. Could someone help me out?

Thanks for your help. I appreciate it.
 
Old 02-03-2004, 01:03 PM   #2
g-rod
Member
 
Registered: Dec 2003
Location: Long Island, NY USA
Distribution: RedHat, SUSE
Posts: 336

Rep: Reputation: 30
Since you are running redhat I assume that you are using vsftp. If this assumption is wrong what ftp server are you using?
You are able to ftp to the server locally correct?
You might be firewalling the connection. Post the output of
iptables -L -n;
cat /etc/vsftpd/vsftpd.conf;
To clear the firewall run
iptables -F;
 
Old 02-03-2004, 01:09 PM   #3
phpjames
LQ Newbie
 
Registered: May 2002
Posts: 11

Rep: Reputation: 0
Or if you want a visual aide, from a terminal prompt type:

Setup - Firewall - Customize and select FTP.

You can then see what the outside sees by running an nmap scan on your machine.

$ nmap localhost
 
Old 02-03-2004, 01:12 PM   #4
AmdMhz
Member
 
Registered: Jan 2004
Location: Indiana
Distribution: Debian, OpenSUSE
Posts: 142

Original Poster
Rep: Reputation: 15
g-rod

Thanks for your help.

[root@localhost etc]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Lokkit-0-50-INPUT (2 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x16/0x02
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023 flags:0x16/0x02 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049 flags:0x16/0x02 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1023 reject-with icmp-port-unreachable
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2049 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:6000:6009 flags:0x16/0x02 reject-with icmp-port-unreachable
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7100 flags:0x16/0x02 reject-with icmp-port-unreachable

# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are very paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
#
# Allow anonymous FTP?
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES

pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
 
Old 02-03-2004, 01:21 PM   #5
g-rod
Member
 
Registered: Dec 2003
Location: Long Island, NY USA
Distribution: RedHat, SUSE
Posts: 336

Rep: Reputation: 30
Ya you are firewalling the ftp-data connection. Stop iptables and test.
as root try
/etc/init.d/iptables stop;
Then try to ftp to the server it should work.
If it works then I can we can work on setting up the firewall to allow ftp.
 
Old 02-04-2004, 10:23 AM   #6
AmdMhz
Member
 
Registered: Jan 2004
Location: Indiana
Distribution: Debian, OpenSUSE
Posts: 142

Original Poster
Rep: Reputation: 15
g-rod

That worked man.. Now all I need to do is resetup the firewall. I would like to do it by command line instead of Gui. Can you help me with that if you have time? If you dont, that is ok too. Take care man.

Thanks
 
Old 02-04-2004, 12:07 PM   #7
AmdMhz
Member
 
Registered: Jan 2004
Location: Indiana
Distribution: Debian, OpenSUSE
Posts: 142

Original Poster
Rep: Reputation: 15
Nevermind my last question. I figured it out but I have one last one.
 
Old 02-04-2004, 12:11 PM   #8
g-rod
Member
 
Registered: Dec 2003
Location: Long Island, NY USA
Distribution: RedHat, SUSE
Posts: 336

Rep: Reputation: 30
Thats cool. Using the command line is the only way to go. That way you know what the heck is going on. I will give you some general information about iptables and how Redhat save configuration.
IPtables is constructed with rules in three chains. A chain has default policies. If no rules match in the chain the default policy is applied. To see what the rules are in the chain run
iptables -L;
The default chains are INPUT,OUTPUT,FORWARD. A data packet falls into one of these as follows.
When a connection attempt is being made to the machine it is in the INPUT chain.
When a connection is been made from the machine it is in OUTPUT chain.
If the connection is being routed through the machine it is in the FORWARD chain.
When a match is made on a rule iptables jumps to the jump rule define with -j and stops checking the rules in that chain and follows the jump. The jump can be a default one ACCEPT,DENY,DROP or a user define chain.

Reviewing iptables dump in your previous post for an ftp connection attempt to the server we can see that the first (and only rule) matches are connection attempt and send us to the userdefined rule RH-Lokit-0-50-INPUT. The first rule in that chain matches are attempt. So the packet is accepted, but ftp also opens a ftp-data connection back to the machine.
Here is link describing the ftp protocal.
http://war.jgaa.com/ftp/?cmd=show_page&ID=ftp_pasv

I think these will open ftp up for you.
iptables -A INPUT -p tcp --dport ftp -j ACCEPT
iptables -A INPUT -p tcp --dport ftp-data -j ACCEPT
iptables -A INPUT -p udp --dport ftp -j ACCEPT
iptables -A INPUT -p udp --dport ftp-data -j ACCEPT
iptables -A INPUT -p ALL -m state --state \ ESTABLISHED,RELATED -j ACCEPT
To save the changes you can run
/etc/init.d/iptables save;
This writes the rules to /etc/sysconfig/iptables and is reread when your run /etc/iptables start.
Hope this helps.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Configuring Red Hat 7.2/ Windows XP dual boot mobok7v Linux - General 10 11-27-2006 03:47 PM
Configuring Telnet on Red Hat LInux 3.0 alpeshprajapati Linux - Newbie 3 09-19-2005 09:31 AM
Configuring an USB wireles card in Red Hat 9 jcesarmo Linux - Wireless Networking 1 04-12-2004 02:22 PM
configuring red hat 9.0 for server internet Wignyo Linux - Networking 1 07-03-2003 04:21 PM
Configuring a Canon N650U under Red Hat 7.2 Hartford Linux - General 1 06-02-2002 12:49 PM


All times are GMT -5. The time now is 12:44 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration