LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Not able to upload file from different LAN in Centos (https://www.linuxquestions.org/questions/linux-newbie-8/not-able-to-upload-file-from-different-lan-in-centos-934736/)

SarahGurung 03-16-2012 03:35 AM

Not able to upload file from different LAN in Centos
 
We have centos i our server..

Well a client wants to host their website with us...We can upload it form the LAN but it is not possible form different LAN.. What could be the reason?

The iptables -L shows:
Code:

Chain INPUT (policy ACCEPT)
target    prot opt source              destination       
RH-Firewall-1-INPUT  all  --  anywhere            anywhere           

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       
RH-Firewall-1-INPUT  all  --  anywhere            anywhere           

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       

Chain RH-Firewall-1-INPUT (2 references)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere           
ACCEPT    icmp --  anywhere            anywhere            icmp any
ACCEPT    esp  --  anywhere            anywhere           
ACCEPT    ah  --  anywhere            anywhere           
ACCEPT    udp  --  anywhere            224.0.0.251        udp dpt:mdns
ACCEPT    udp  --  anywhere            anywhere            udp dpt:ipp
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ipp
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
ACCEPT    tcp  --  anywhere            anywhere            state NEW tcp dpt:ftp
ACCEPT    tcp  --  anywhere            anywhere            state NEW tcp dpt:ssh
ACCEPT    tcp  --  anywhere            anywhere            state NEW tcp dpt:https
ACCEPT    tcp  --  anywhere            anywhere            state NEW tcp dpt:http
ACCEPT    tcp  --  anywhere            anywhere            state NEW tcp dpt:ftp-data
REJECT    all  --  anywhere            anywhere            reject-with icmp-host-prohibited


if ftp port 20 is closed how are we able to upload it from the LAN then

acid_kewpie 03-16-2012 04:28 AM

upload how?? there are a dozen ways to move a file between two systems.

SarahGurung 03-16-2012 04:32 AM

upload using ftp client..

The customer who wants to upload his website is in different country...When we tested by uploading a file from our LAN it worked..

acid_kewpie 03-16-2012 04:33 AM

so FTP is obviously a nasty protocol to get through a firewall, in what way does it not work? does it never log in, or do files specifically not transfer? have they tried using active and passive mode? could they use sftp instead for a much simpler experience?

your rulebase in "iptables -vnL" format might be more useful.

SarahGurung 03-16-2012 04:35 AM

how do we do that?

acid_kewpie 03-16-2012 04:54 AM

do what?

SarahGurung 03-16-2012 05:03 AM

ya they can login but they arent able to upload their site..

u told abt passive and active mode and also abt ssftp so was asking abt dat...

acid_kewpie 03-16-2012 05:09 AM

abt? really?

if this server has a single interface then it looks like the issue for ftp-data connections failing is likely to be down to something else between them and you that you don't have locally, your public firewall, or theirs etc. you can check lsmod to see that the ftp conntrack module is loaded, but if it's working for you it sounds like it already is.

Again, your full rule base would possibly help here.

SarahGurung 03-16-2012 05:26 AM

Well ya we can upload it using their username and password from our LAN but they are not able to upload it from there..We don't have any firewalls out here though but i guess ftp port 20 has been blocked somewhere in the acl of router for outsiders..

And by 'full rule base' do you mean the iptables rules?

acid_kewpie 03-16-2012 05:31 AM

Quote:

your rulebase in "iptables -vnL" format might be more useful.
FTP port 20 is not a destination port in FTP. In active mode that is the *SOURCE* port of the connection created by the *SERVER* to the client. In passive mode, it's not used, unless the ftp server is explicitly tethered to use that as the data port. So it's not likely to be that it's blocked, but that a device is not inspecting the ftp control traffic to track the data connections validity, so being rejected implicitly.

http://www.linuxhowtos.org/Misc/ftpmodes.htm

SarahGurung 03-16-2012 05:56 AM

That means when we login in directly we are using active ftp right? And for that in our iptables rule we should give it as sport instead of dport right?

Well can you please have a look at my iptables rule above and comment on it because it's given as sport so..

acid_kewpie 03-16-2012 05:58 AM

no, the login / control data flow is identical, it's how the additional ftp data connection is established, which you don't do yourself, is the difference. With sftp etc, these things do not exist, so if sftp is available, they would do better to use that instead.

yet again you've not provided the rulebase as requested, but in reality it can't really matter. if it works for you, the server rulebase is not the issue.

SarahGurung 03-16-2012 06:06 AM

well de output of ipables -vnL is:

Code:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       
2624K  330M RH-Firewall-1-INPUT  all  --  *      *      0.0.0.0/0            0.0.0.0/0         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 RH-Firewall-1-INPUT  all  --  *      *      0.0.0.0/0            0.0.0.0/0         

Chain OUTPUT (policy ACCEPT 2016K packets, 5687M bytes)
 pkts bytes target    prot opt in    out    source              destination       

Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target    prot opt in    out    source              destination       
 2088 2613K ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0         
53908 3862K ACCEPT    icmp --  *      *      0.0.0.0/0            0.0.0.0/0          icmp type 255
    0    0 ACCEPT    esp  --  *      *      0.0.0.0/0            0.0.0.0/0         
    0    0 ACCEPT    ah  --  *      *      0.0.0.0/0            0.0.0.0/0         
    0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            224.0.0.251        udp dpt:5353
    0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:631
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:631
2487K  319M ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
 2241  133K ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:21
 2082  125K ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:22
  357 21384 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:443
74933 4093K ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:80
  17  988 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:20
 1155 98813 REJECT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          reject-with icmp-host-prohibited

Is it in our configuration part to login either via active or passive?

And it also means ftp port 20 is dport only right?

acid_kewpie 03-16-2012 06:15 AM

you can see that the counters there say just about nothing has hit port 20. that line is not relevant to the ftp environment. files already sent over ftp will be being covered by the "RELATED" entry.

yet again though, the problem is likely to be elsewhere. You're using this box fine from where you are, and the rulebase makes no distinction between you or anyone else.

SarahGurung 03-16-2012 06:31 AM

oh k k... Thanks..

Well my iptables rules contain:

Code:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

So is the rules ok or should i make it to sport for ftp port 20?

And i have read it somewhere that we should add the pasv_max_port and pasv_min_port mentioned in the vsftpd.conf file along with the tcp port 20 and 21 in iptables...how far is that true?


All times are GMT -5. The time now is 02:15 PM.