|
Configuring FTP in Red Hat
Hi all. I have FTP running and can connect on on local machine. Any other machine on my network can not do to connect refused which means port 21 is no enabled on my linux box. For the life I me I can not find what file I need to edit to enble port 21. I looked in my linux bible and still do not understand. Could someone help me out?
Thanks for your help. I appreciate it. |
Since you are running redhat I assume that you are using vsftp. If this assumption is wrong what ftp server are you using?
You are able to ftp to the server locally correct? You might be firewalling the connection. Post the output of iptables -L -n; cat /etc/vsftpd/vsftpd.conf; To clear the firewall run iptables -F; |
Or if you want a visual aide, from a terminal prompt type:
Setup - Firewall - Customize and select FTP. You can then see what the outside sees by running an nmap scan on your machine. $ nmap localhost |
g-rod
Thanks for your help. [root@localhost etc]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination RH-Lokkit-0-50-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Lokkit-0-50-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Lokkit-0-50-INPUT (2 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x16/0x02 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023 flags:0x16/0x02 reject-with icmp-port-unreachable REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049 flags:0x16/0x02 reject-with icmp-port-unreachable REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1023 reject-with icmp-port-unreachable REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2049 reject-with icmp-port-unreachable REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:6000:6009 flags:0x16/0x02 reject-with icmp-port-unreachable REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7100 flags:0x16/0x02 reject-with icmp-port-unreachable # Example config file /etc/vsftpd.conf # # The default compiled in settings are very paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # # Allow anonymous FTP? anonymous_enable=YES # # Uncomment this to allow local users to log in. local_enable=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # Activate logging of uploads/downloads. xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # You may override where the log file goes if you like. The default is shown # below. #xferlog_file=/var/log/vsftpd.log # # If you want, you can have your log file in standard ftpd xferlog format xferlog_std_format=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that turning on ascii_download_enable enables malicious remote parties # to consume your I/O resources, by issuing the command "SIZE /big/file" in # ASCII mode. # These ASCII options are split into upload and download because you may wish # to enable ASCII uploads (to prevent uploaded scripts etc. from breaking), # without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be # on the client anyway.. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service. # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd.banned_emails # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). #chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd.chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES pam_service_name=vsftpd userlist_enable=YES #enable for standalone mode listen=YES |
Ya you are firewalling the ftp-data connection. Stop iptables and test.
as root try /etc/init.d/iptables stop; Then try to ftp to the server it should work. If it works then I can we can work on setting up the firewall to allow ftp. |
g-rod
That worked man.. Now all I need to do is resetup the firewall. I would like to do it by command line instead of Gui. Can you help me with that if you have time? If you dont, that is ok too. Take care man. Thanks |
Nevermind my last question. I figured it out but I have one last one.
|
Thats cool. Using the command line is the only way to go. That way you know what the heck is going on. I will give you some general information about iptables and how Redhat save configuration.
IPtables is constructed with rules in three chains. A chain has default policies. If no rules match in the chain the default policy is applied. To see what the rules are in the chain run iptables -L; The default chains are INPUT,OUTPUT,FORWARD. A data packet falls into one of these as follows. When a connection attempt is being made to the machine it is in the INPUT chain. When a connection is been made from the machine it is in OUTPUT chain. If the connection is being routed through the machine it is in the FORWARD chain. When a match is made on a rule iptables jumps to the jump rule define with -j and stops checking the rules in that chain and follows the jump. The jump can be a default one ACCEPT,DENY,DROP or a user define chain. Reviewing iptables dump in your previous post for an ftp connection attempt to the server we can see that the first (and only rule) matches are connection attempt and send us to the userdefined rule RH-Lokit-0-50-INPUT. The first rule in that chain matches are attempt. So the packet is accepted, but ftp also opens a ftp-data connection back to the machine. Here is link describing the ftp protocal. http://war.jgaa.com/ftp/?cmd=show_page&ID=ftp_pasv I think these will open ftp up for you. iptables -A INPUT -p tcp --dport ftp -j ACCEPT iptables -A INPUT -p tcp --dport ftp-data -j ACCEPT iptables -A INPUT -p udp --dport ftp -j ACCEPT iptables -A INPUT -p udp --dport ftp-data -j ACCEPT iptables -A INPUT -p ALL -m state --state \ ESTABLISHED,RELATED -j ACCEPT To save the changes you can run /etc/init.d/iptables save; This writes the rules to /etc/sysconfig/iptables and is reread when your run /etc/iptables start. Hope this helps. |
| All times are GMT -5. The time now is 11:46 AM. |