LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-17-2003, 08:28 AM   #1
Slasher
Member
 
Registered: Oct 2002
Location: Norway
Distribution: Gentoo
Posts: 36

Rep: Reputation: 15
ProFTPd, Redhat 8.0 and passive mode


Hi,

Trying to configure proftpd on my redhat 8.0 box, and I can't get passive mode to work.

If I try "ftp localhost 13795" (why port 21) on the server, I can log in, list directories, upload, download, the works.

I I try "ftp IP 13795" from another machine, I can log on, but directory listing fails because of passive mode. Here the output:

ftp> dir
227 Entering Passive Mode (129,241,209,135,199,177).
ftp: connect: Connection refused

As you can see, the server has public ip. I have forwarded the connection port (13795) and a port range 51000-51999 in the redhat security level program, and set the "PassivePorts 51000 51999" in proftpd.conf. I'm running proftpd from xinetd by the way.

The syntax I used for redhat's security level program was "51000-51999:tcp".

I've read numerous readme files, searched the net and LQ, and still I'm stumped. If anyone has some idea to what I'm doing wrong, I'd be grateful.

Thanks for reading.
 
Old 02-18-2003, 10:06 AM   #2
Slasher
Member
 
Registered: Oct 2002
Location: Norway
Distribution: Gentoo
Posts: 36

Original Poster
Rep: Reputation: 15
Quick update: I'm pretty confident that the problem is the redhat-config-securitylevel program. It appears that it accept the syntax "51000-51999:tcp", but only opens 51000:tcp. I've had no success in finding the synopsys for this, either with google or redhat's search.
 
Old 02-25-2003, 10:00 PM   #3
unique3
LQ Newbie
 
Registered: Feb 2003
Posts: 6

Rep: Reputation: 0
Same problem

I am having somewhat of the same problem excpet I know far less about it then you. I have proftpd installed on my server and recently I have been having problems connecting to it from ncftp on other linux boxes and from windows programs. When I try to use ncftp to connect it gives me an error saying it could not enter passive mode. Any ideas?

Thanks in advance
 
Old 02-26-2003, 08:04 AM   #4
Slasher
Member
 
Registered: Oct 2002
Location: Norway
Distribution: Gentoo
Posts: 36

Original Poster
Rep: Reputation: 15
Hi unique3,

This is probably the same problem I experienced. Luckily I found a solution

Here goes:

It was the redhat-config-securitylevel "firewall" program that was causing frustration. Like most (all?) firewall programs on linux, it's based upon iptables, witch is a powerful and highly configurable program, if one learns to use it. More info on iptables: http://www.iptables.org Basicly iptables determines the fate of packets sent and received on your computer.

The solution was to add a rule to the INPUT chain in iptables. A chain works as a set of rules, the first rule is checked first, if it doesn't apply, the second is checked and so on.

A simple example (INPUT chain, could be any chain):

ACCEPT tcp -- anywhere anywhere tcp dpts:80
ACCEPT tcp -- anywhere anywhere tcp dpts:22
DENY tcp -- anywhere anywhere tcp dpts:80

Let's say this is the INPUT chain (handles everything coming to your computer) The firs rule accept all packets on port 80 tcp (http). The second accept all SSH connections, tcp. The third rule tries to deny all incoming http packets,. This won't work, since the first rule already has acceptet all http packets.

A good way to set up a chain is then to have a set of rules to allow incoming packets on selected ports, and the last rule on the chain to deny all:

ACCEPT tcp -- anywhere anywhere tcp dpts:80
ACCEPT tcp -- anywhere anywhere tcp dpts:22
DENY tcp -- anywhere anywhere tcp dpts:80
REJECT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp reject-with icmp-port-unreachable

Almost at the end now

What I did (simple enough), was to add a rule to the INPUT chain:

ACCEPT tcp -- anywhere anywhere tcp dpts:51000:51999

The command to do so is:

# iptables -I INPUT 6 -p TCP --dport 51000:51999 -j ACCEPT

This adds a rule to the INPUT chain, position 6 from the top, allows all packets from all ip's on port 51000-51999 (my passive port range in proftpd). The position is important, since the last two rules of my chain denys everything on all ports from all ip's, tcp and udp respectivly.

Hope this was helpful, and perhaps even understandable. Sorry for any bad english

Last edited by Slasher; 02-26-2003 at 11:30 AM.
 
Old 02-26-2003, 08:44 AM   #5
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Slasher, that is quite possibly the clearest explanation of iptables I've read. I've been struggling with it for quite some time and only "got it" after reading your post.

Thanks!
 
Old 02-26-2003, 11:31 AM   #6
Slasher
Member
 
Registered: Oct 2002
Location: Norway
Distribution: Gentoo
Posts: 36

Original Poster
Rep: Reputation: 15
Glad to be of help
 
Old 02-26-2003, 01:15 PM   #7
unique3
LQ Newbie
 
Registered: Feb 2003
Posts: 6

Rep: Reputation: 0
One more thing

Thanks for the explination but I have just one more question, you used ports 51000:51999 because they are you passive ports.
Where and how would I check what my passive ports are or are they standard?

Again thanks for the explination, I actually understand what you are talking about and thats pretty amazing
 
Old 02-26-2003, 01:27 PM   #8
Slasher
Member
 
Registered: Oct 2002
Location: Norway
Distribution: Gentoo
Posts: 36

Original Poster
Rep: Reputation: 15
Hi again unique3,

I chose ports 51000-51999 because they are not used for any other service. Actually anything over 50000 is ok. Choose as many ports as you need.

In your proftpd.conf file, you should put in the following code:

Code:
PassivePorts 51000 51999
This could be inside <Global> (like I have) or you could specify individual passive ports for each virtual server if you run multiple servers.

This is part of my proftpd.conf file:

Code:
<Global>
        PassivePorts 51000 51999
</Global>
Hope it works out for you
 
Old 05-09-2008, 09:06 AM   #9
jordib
Member
 
Registered: Apr 2008
Distribution: Debian
Posts: 37

Rep: Reputation: 15
And if I need to access the server both from an internal private IP address, when used from the local network, and from a IP public address, when used from the Internet?

Should I duplicate the server setup within a different VirtualServer for the public IP and the private IP?

Is there any way to access the server always from the public IP (this does not work with the gateway I use).

The proFTPD server is in a DMZ.

MasqueradeAddress is specified as the public IP address of the gateway to Inet.

More information:

http://www.linuxquestions.org/questi...blems-639854/?

Last edited by jordib; 05-09-2008 at 09:15 AM.
 
Old 05-09-2008, 12:11 PM   #10
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Why don't you start a new thread on your question. In general, digging up a five year old thread probably won't get you the answers you're looking for.
 
Old 05-09-2008, 05:08 PM   #11
jordib
Member
 
Registered: Apr 2008
Distribution: Debian
Posts: 37

Rep: Reputation: 15
As you can see, I've opened a new thread. Within the last answer I cite the link.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ProFTPD hangs on "227 Entering Passive Mode" VirusHater Linux - Newbie 4 06-30-2010 06:26 PM
proftpd, passive mode, and a router.... apberzerk Linux - Networking 2 07-11-2004 08:05 PM
227 Entering Passive Mode mxtinker Linux - Networking 1 02-25-2004 09:58 AM
ftp passive mode ? lenlutz Linux - Networking 1 11-05-2003 02:11 PM
kermit in passive mode? bbeers Linux - Software 1 08-23-2002 08:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:10 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration