Problem to FTP
1 Attachment(s)
Hi,
Here is IP of Cent OS server. [root@CentOS65x64 vsftpd]# ifconfig eth13 Link encap:Ethernet HWaddr 08:00:27:03:62:E2 inet6 addr: fe80::a00:27ff:fe03:62e2/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:301 errors:0 dropped:0 overruns:0 frame:0 TX packets:418 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:81957 (80.0 KiB) TX bytes:141372 (138.0 KiB) eth14 Link encap:Ethernet HWaddr 08:00:27:EE:CA:AF inet addr:113.255.213.124 Bcast:113.255.223.255 Mask:255.255.240.0 inet6 addr: fe80::a00:27ff:feee:caaf/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:879528 errors:0 dropped:0 overruns:0 frame:0 TX packets:31662 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:222411874 (212.1 MiB) TX bytes:2762135 (2.6 MiB) I've enabled FTP on it but have got error like the attached, when accessing this ftp://113.255.213.124/ |
Is your firewall running?
Code:
iptables -L Code:
ftp localhost |
Quote:
And you've been asked a LOT of times to stop posting tiny screen shots of things...and you don't, as in previous threads along the same vein as this, or the MANY others where you never come back, such as these recent threads: https://www.linuxquestions.org/quest...st-4175653537/ https://www.linuxquestions.org/quest...ce-4175653928/ https://www.linuxquestions.org/quest...es-4175653659/ https://www.linuxquestions.org/quest...le-4175649005/ |
Tyler,
Here is what I've got [root@CentOS65x64 huamin]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@CentOS65x64 huamin]# ftp localhost Trying ::1... ftp: connect to address ::1Connection refused Trying 127.0.0.1... ftp: connect to address 127.0.0.1Connection refused Trying 113.255.213.173... ftp: connect: No route to host |
Quote:
1. anonymous, encrypted download : https 2. anonymous, unecrypted download : http 3. logged in, encrypted download : sftp or else https + BasicAuth 4. logged in, encrypted upload : sftp FTP was great in its day but its time is long since passed by a few decades. Don't use it. Use SFTP, HTTPS, or HTTP nowadays. |
Hi,
You seem to not have FTP allowed through your firewall. You should have had an FTP rule similar to the SSH one (I put it in bold) in the INPUT chain of filter table. Quote:
|
Quote:
Even in passive FTP, two rules are needed on the server. One is obviously needed for the incoming control connection, as you point out. However, a second one on an arbitary high port needs to be allowed for the data connection. That port is not known in advance so all high ports must be allowed in. That greatly reduces the efficacy of the packet filter, not that packet filters are much use anyway. FTP has had proper replacements for over 20 years. It is long past time to put it to rest and use more practical protocols instead. |
Hi Turbocapitalist,
You are right, he also needs to enable the FTP connection tracking module. for passive FTP In CentOS version 7, the below commands are enough, as the module activation is included in the FTP service configuration. Code:
firewall-cmd --permanent --add-service-ftp |
Quote:
|
I just gave the commands above.
Which version of CentOS are you using? |
Here is version
centos-release-6-10.el6.centos.12.3.x86_64 |
Quote:
You were asked about which FTP server, and you FINALLY told us vsftpd, but (again) don't mention the version. Still don't tell us about the environment, either....is this an intranet? Internal server? Public server?? How you use it and what for can determine what you need on it. You were given commands, and don't appear to have even tried them. You were told specifically to NOT use FTP, but rather use any of the MUCH better/more secure options, such as SCP/SFTP. Why are you posting, if you're not going to acknowledge things, try commands, or take advice when offered?? Most of the time you don't even follow up in any of your threads. |
Hi,
As you are using CentOS 6, the things are different. But the aim is still to activate the tracking connection module for passive FTP, in addition to allowing the FTP port. Launch the command below to allow FTP port in your firewall. Ensure it is somehow reflected in your /etc/sysconfig/iptables. Code:
iptables -t filter -I INPUT 8 -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT Then in /etc/sysconfig/iptables-config add the below line. Code:
IPTABLES_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns" Code:
service iptables restart So you better check everything and know what you are doing before applying. Further more, stop ignoring TB0ne advices. He does that for a reason, and they seem good ones to me. |
Good day Tshikose,
Here is file /etc/sysconfig/iptables: *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT I also have added that line to /etc/sysconfig/iptables-config Here is what I've got [root@CentOS65x64 huamin]# service iptables restart iptables: Setting chains to policy ACCEPT: nat mangle filte[ OK ] iptables: Flushing firewall rules: [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ] iptables: Loading additional modules: nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns [ OK ] But I still have same issue to access ftp://113.255.213.124/ |
Quote:
Code:
-A INPUT -m helper --helper "ftp" -m state --state RELATED -j ACCEPT |
All times are GMT -5. The time now is 05:47 PM. |