Problem to FTP
 

Hi,
Here is IP of Cent OS server.

[root@CentOS65x64 vsftpd]# ifconfig
eth13 Link encap:Ethernet HWaddr 08:00:27:03:62:E2
inet6 addr: fe80::a00:27ff:fe03:62e2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:301 errors:0 dropped:0 overruns:0 frame:0
TX packets:418 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:81957 (80.0 KiB) TX bytes:141372 (138.0 KiB)

eth14 Link encap:Ethernet HWaddr 08:00:27:EE:CA:AF
inet addr:113.255.213.124 Bcast:113.255.223.255 Mask:255.255.240.0
inet6 addr: fe80::a00:27ff:feee:caaf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:879528 errors:0 dropped:0 overruns:0 frame:0
TX packets:31662 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:222411874 (212.1 MiB) TX bytes:2762135 (2.6 MiB)

I've enabled FTP on it but have got error like the attached, when accessing this

ftp://113.255.213.124/

Is your firewall running?

What happens if you do this from the server:

Again, as with MANY of your previous threads, you omit any relevant details. Version of CentOS? Which FTP server? Ability to connect to it from other clients? Can you even ping it? Have you done **ANY** diagnostics at all? What FTP client are you using on Windows? Because just banging ftp://.... into your web browser probably won't work the way you want it to.

And you've been asked a LOT of times to stop posting tiny screen shots of things...and you don't, as in previous threads along the same vein as this, or the MANY others where you never come back, such as these recent threads:
https://www.linuxquestions.org/quest...st-4175653537/
https://www.linuxquestions.org/quest...ce-4175653928/
https://www.linuxquestions.org/quest...es-4175653659/
https://www.linuxquestions.org/quest...le-4175649005/

Tyler,
Here is what I've got

[root@CentOS65x64 huamin]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@CentOS65x64 huamin]# ftp localhost
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
ftp: connect to address 127.0.0.1Connection refused
Trying 113.255.213.173...
ftp: connect: No route to host

It's not as easy as you think it is. You'll spend scores of hours on this project if you pursue FTP instead of an appropriate protocol, and time is money among other things. FTP and any kind of filtering on the server side or even NAT do not get along. Read up on how both passive or active FTP actually work. You'll need to receive arbitarary incoming connections. The FTP protocol is left over from the 1970s and is not only completely unsecure but also nearly impossible to set up and get running on a modern network. In light of that I would ask you to reassess your use-cases, and turn to the modern protocols:

1. anonymous, encrypted download : https
2. anonymous, unecrypted download : http
3. logged in, encrypted download : sftp or else https + BasicAuth
4. logged in, encrypted upload : sftp

FTP was great in its day but its time is long since passed by a few decades. Don't use it. Use SFTP, HTTPS, or HTTP nowadays.

Hi,


You seem to not have FTP allowed through your firewall. You should have had an FTP rule similar to the SSH one (I put it in bold) in the INPUT chain of filter table.

Nope. Two rules are needed for sad old FTP, in addition to the right kind of network, one that allows direct access from the outside to all ports, high and low.

Even in passive FTP, two rules are needed on the server. One is obviously needed for the incoming control connection, as you point out. However, a second one on an arbitary high port needs to be allowed for the data connection. That port is not known in advance so all high ports must be allowed in. That greatly reduces the efficacy of the packet filter, not that packet filters are much use anyway.

FTP has had proper replacements for over 20 years. It is long past time to put it to rest and use more practical protocols instead.

Hi Turbocapitalist,

You are right, he also needs to enable the FTP connection tracking module. for passive FTP

In CentOS version 7, the below commands are enough, as the module activation is included in the FTP service configuration.

I installed vsftpd on current Cent OS. What to further enable (regarding FTP) on it?

I just gave the commands above.
Which version of CentOS are you using?

Here is version

centos-release-6-10.el6.centos.12.3.x86_64

...and you seem to ignore post #3, where you were specifically asked these things. Some reason for that???

You were asked about which FTP server, and you FINALLY told us vsftpd, but (again) don't mention the version. Still don't tell us about the environment, either....is this an intranet? Internal server? Public server?? How you use it and what for can determine what you need on it. You were given commands, and don't appear to have even tried them. You were told specifically to NOT use FTP, but rather use any of the MUCH better/more secure options, such as SCP/SFTP.

Why are you posting, if you're not going to acknowledge things, try commands, or take advice when offered?? Most of the time you don't even follow up in any of your threads.

Hi,

As you are using CentOS 6, the things are different. But the aim is still to activate the tracking connection module for passive FTP, in addition to allowing the FTP port.

Launch the command below to allow FTP port in your firewall. Ensure it is somehow reflected in your /etc/sysconfig/iptables.
I am inserting it just before (8th position) the SSH rule, according to your posting #4 of your current iptables configuration. The main goal is for the rule to be before the last rejecting one.

Then in /etc/sysconfig/iptables-config add the below line.
Finally restart iptables service with.
It is all from my memory, as it is long time since I used version 6.
So you better check everything and know what you are doing before applying.

Further more, stop ignoring TB0ne advices. He does that for a reason, and they seem good ones to me.

Good day Tshikose,
Here is file /etc/sysconfig/iptables:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

I also have added that line to /etc/sysconfig/iptables-config

Here is what I've got
[root@CentOS65x64 huamin]# service iptables restart
iptables: Setting chains to policy ACCEPT: nat mangle filte[ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
iptables: Loading additional modules: nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns [ OK ]

But I still have same issue to access
ftp://113.255.213.124/

If I remember right you need to use the helper module in your rules as well: