LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Closed Thread
  Search this Thread
Old 05-31-2019, 04:23 AM   #1
Huamin
Member
 
Registered: May 2011
Posts: 562

Rep: Reputation: 12
Problem to FTP


Hi,
Here is IP of Cent OS server.

[root@CentOS65x64 vsftpd]# ifconfig
eth13 Link encap:Ethernet HWaddr 08:00:27:03:62:E2
inet6 addr: fe80::a00:27ff:fe03:62e2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:301 errors:0 dropped:0 overruns:0 frame:0
TX packets:418 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:81957 (80.0 KiB) TX bytes:141372 (138.0 KiB)

eth14 Link encap:Ethernet HWaddr 08:00:27:EE:CA:AF
inet addr:113.255.213.124 Bcast:113.255.223.255 Mask:255.255.240.0
inet6 addr: fe80::a00:27ff:feee:caaf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:879528 errors:0 dropped:0 overruns:0 frame:0
TX packets:31662 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:222411874 (212.1 MiB) TX bytes:2762135 (2.6 MiB)

I've enabled FTP on it but have got error like the attached, when accessing this

ftp://113.255.213.124/
Attached Thumbnails
Click image for larger version

Name:	42z.png
Views:	29
Size:	9.7 KB
ID:	30678  
 
Old 05-31-2019, 05:30 AM   #2
tyler2016
Member
 
Registered: Sep 2018
Distribution: Debian, CentOS, FreeBSD
Posts: 204

Rep: Reputation: Disabled
Is your firewall running?

Code:
iptables -L
What happens if you do this from the server:

Code:
ftp localhost
 
Old 05-31-2019, 07:00 AM   #3
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 21,559

Rep: Reputation: 5676Reputation: 5676Reputation: 5676Reputation: 5676Reputation: 5676Reputation: 5676Reputation: 5676Reputation: 5676Reputation: 5676Reputation: 5676Reputation: 5676
Quote:
Originally Posted by Huamin View Post
Hi,
Here is IP of Cent OS server.
Code:
[root@CentOS65x64 vsftpd]# ifconfig
eth13     Link encap:Ethernet  HWaddr 08:00:27:03:62:E2  
          inet6 addr: fe80::a00:27ff:fe03:62e2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:301 errors:0 dropped:0 overruns:0 frame:0
          TX packets:418 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:81957 (80.0 KiB)  TX bytes:141372 (138.0 KiB)

eth14     Link encap:Ethernet  HWaddr 08:00:27:EE:CA:AF  
          inet addr:113.255.213.124  Bcast:113.255.223.255  Mask:255.255.240.0
          inet6 addr: fe80::a00:27ff:feee:caaf/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:879528 errors:0 dropped:0 overruns:0 frame:0
          TX packets:31662 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:222411874 (212.1 MiB)  TX bytes:2762135 (2.6 MiB)
I've enabled FTP on it but have got error like the attached, when accessing this ftp://113.255.213.124/
Again, as with MANY of your previous threads, you omit any relevant details. Version of CentOS? Which FTP server? Ability to connect to it from other clients? Can you even ping it? Have you done **ANY** diagnostics at all? What FTP client are you using on Windows? Because just banging ftp://.... into your web browser probably won't work the way you want it to.

And you've been asked a LOT of times to stop posting tiny screen shots of things...and you don't, as in previous threads along the same vein as this, or the MANY others where you never come back, such as these recent threads:
https://www.linuxquestions.org/quest...st-4175653537/
https://www.linuxquestions.org/quest...ce-4175653928/
https://www.linuxquestions.org/quest...es-4175653659/
https://www.linuxquestions.org/quest...le-4175649005/
 
1 members found this post helpful.
Old 06-01-2019, 01:48 AM   #4
Huamin
Member
 
Registered: May 2011
Posts: 562

Original Poster
Rep: Reputation: 12
Tyler,
Here is what I've got

[root@CentOS65x64 huamin]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@CentOS65x64 huamin]# ftp localhost
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
ftp: connect to address 127.0.0.1Connection refused
Trying 113.255.213.173...
ftp: connect: No route to host
 
Old 06-01-2019, 03:11 AM   #5
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,019
Blog Entries: 3

Rep: Reputation: 1918Reputation: 1918Reputation: 1918Reputation: 1918Reputation: 1918Reputation: 1918Reputation: 1918Reputation: 1918Reputation: 1918Reputation: 1918Reputation: 1918
Quote:
Originally Posted by Huamin View Post
Here is what I've got ...
It's not as easy as you think it is. You'll spend scores of hours on this project if you pursue FTP instead of an appropriate protocol, and time is money among other things. FTP and any kind of filtering on the server side or even NAT do not get along. Read up on how both passive or active FTP actually work. You'll need to receive arbitarary incoming connections. The FTP protocol is left over from the 1970s and is not only completely unsecure but also nearly impossible to set up and get running on a modern network. In light of that I would ask you to reassess your use-cases, and turn to the modern protocols:

1. anonymous, encrypted download : https
2. anonymous, unecrypted download : http
3. logged in, encrypted download : sftp or else https + BasicAuth
4. logged in, encrypted upload : sftp

FTP was great in its day but its time is long since passed by a few decades. Don't use it. Use SFTP, HTTPS, or HTTP nowadays.
 
Old 06-01-2019, 03:34 AM   #6
tshikose
Member
 
Registered: Apr 2010
Location: Kinshasa, Democratic Republic of Congo
Distribution: RHEL, Fedora, CentOS
Posts: 464

Rep: Reputation: 88
Hi,


You seem to not have FTP allowed through your firewall. You should have had an FTP rule similar to the SSH one (I put it in bold) in the INPUT chain of filter table.
Quote:
Originally Posted by Huamin View Post
...

[root@CentOS65x64 huamin]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
...
 
Old 06-01-2019, 03:40 AM   #7
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,019
Blog Entries: 3

Rep: Reputation: 1918Reputation: 1918Reputation: 1918Reputation: 1918Reputation: 1918Reputation: 1918Reputation: 1918Reputation: 1918Reputation: 1918Reputation: 1918Reputation: 1918
Quote:
Originally Posted by tshikose View Post
You should have had an FTP rule similar to the SSH one (I put it in bold) in the INPUT chain of filter table.
Nope. Two rules are needed for sad old FTP, in addition to the right kind of network, one that allows direct access from the outside to all ports, high and low.

Even in passive FTP, two rules are needed on the server. One is obviously needed for the incoming control connection, as you point out. However, a second one on an arbitary high port needs to be allowed for the data connection. That port is not known in advance so all high ports must be allowed in. That greatly reduces the efficacy of the packet filter, not that packet filters are much use anyway.

FTP has had proper replacements for over 20 years. It is long past time to put it to rest and use more practical protocols instead.

Last edited by Turbocapitalist; 06-01-2019 at 03:41 AM.
 
1 members found this post helpful.
Old 06-01-2019, 04:14 AM   #8
tshikose
Member
 
Registered: Apr 2010
Location: Kinshasa, Democratic Republic of Congo
Distribution: RHEL, Fedora, CentOS
Posts: 464

Rep: Reputation: 88
Hi Turbocapitalist,

You are right, he also needs to enable the FTP connection tracking module. for passive FTP

In CentOS version 7, the below commands are enough, as the module activation is included in the FTP service configuration.
Code:
firewall-cmd --permanent --add-service-ftp
firewall-cmd --reload
 
2 members found this post helpful.
Old 06-01-2019, 11:03 PM   #9
Huamin
Member
 
Registered: May 2011
Posts: 562

Original Poster
Rep: Reputation: 12
Quote:
Originally Posted by tshikose View Post
Hi Turbocapitalist,

You are right, he also needs to enable the FTP connection tracking module. for passive FTP

In CentOS version 7, the below commands are enough, as the module activation is included in the FTP service configuration.
Code:
firewall-cmd --permanent --add-service-ftp
firewall-cmd --reload
I installed vsftpd on current Cent OS. What to further enable (regarding FTP) on it?
 
Old 06-02-2019, 02:36 AM   #10
tshikose
Member
 
Registered: Apr 2010
Location: Kinshasa, Democratic Republic of Congo
Distribution: RHEL, Fedora, CentOS
Posts: 464

Rep: Reputation: 88
I just gave the commands above.
Which version of CentOS are you using?
 
Old 06-02-2019, 05:42 AM   #11
Huamin
Member
 
Registered: May 2011
Posts: 562

Original Poster
Rep: Reputation: 12
Here is version

centos-release-6-10.el6.centos.12.3.x86_64
 
Old 06-02-2019, 10:07 AM   #12
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 21,559

Rep: Reputation: 5676Reputation: 5676Reputation: 5676Reputation: 5676Reputation: 5676Reputation: 5676Reputation: 5676Reputation: 5676Reputation: 5676Reputation: 5676Reputation: 5676
Quote:
Originally Posted by Huamin View Post
Here is version

centos-release-6-10.el6.centos.12.3.x86_64
...and you seem to ignore post #3, where you were specifically asked these things. Some reason for that???

You were asked about which FTP server, and you FINALLY told us vsftpd, but (again) don't mention the version. Still don't tell us about the environment, either....is this an intranet? Internal server? Public server?? How you use it and what for can determine what you need on it. You were given commands, and don't appear to have even tried them. You were told specifically to NOT use FTP, but rather use any of the MUCH better/more secure options, such as SCP/SFTP.

Why are you posting, if you're not going to acknowledge things, try commands, or take advice when offered?? Most of the time you don't even follow up in any of your threads.
 
Old 06-03-2019, 02:09 AM   #13
tshikose
Member
 
Registered: Apr 2010
Location: Kinshasa, Democratic Republic of Congo
Distribution: RHEL, Fedora, CentOS
Posts: 464

Rep: Reputation: 88
Hi,

As you are using CentOS 6, the things are different. But the aim is still to activate the tracking connection module for passive FTP, in addition to allowing the FTP port.

Launch the command below to allow FTP port in your firewall. Ensure it is somehow reflected in your /etc/sysconfig/iptables.
Code:
iptables -t filter -I INPUT 8 -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
I am inserting it just before (8th position) the SSH rule, according to your posting #4 of your current iptables configuration. The main goal is for the rule to be before the last rejecting one.

Then in /etc/sysconfig/iptables-config add the below line.
Code:
IPTABLES_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"
Finally restart iptables service with.
Code:
service iptables restart
It is all from my memory, as it is long time since I used version 6.
So you better check everything and know what you are doing before applying.

Further more, stop ignoring TB0ne advices. He does that for a reason, and they seem good ones to me.
 
2 members found this post helpful.
Old 06-03-2019, 08:47 PM   #14
Huamin
Member
 
Registered: May 2011
Posts: 562

Original Poster
Rep: Reputation: 12
Good day Tshikose,
Here is file /etc/sysconfig/iptables:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

I also have added that line to /etc/sysconfig/iptables-config

Here is what I've got
[root@CentOS65x64 huamin]# service iptables restart
iptables: Setting chains to policy ACCEPT: nat mangle filte[ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
iptables: Loading additional modules: nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns [ OK ]

But I still have same issue to access
ftp://113.255.213.124/
 
Old 06-04-2019, 06:57 PM   #15
tyler2016
Member
 
Registered: Sep 2018
Distribution: Debian, CentOS, FreeBSD
Posts: 204

Rep: Reputation: Disabled
Quote:
Originally Posted by tshikose View Post
Hi,

As you are using CentOS 6, the things are different. But the aim is still to activate the tracking connection module for passive FTP, in addition to allowing the FTP port.

Launch the command below to allow FTP port in your firewall. Ensure it is somehow reflected in your /etc/sysconfig/iptables.
Code:
iptables -t filter -I INPUT 8 -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
I am inserting it just before (8th position) the SSH rule, according to your posting #4 of your current iptables configuration. The main goal is for the rule to be before the last rejecting one.

Then in /etc/sysconfig/iptables-config add the below line.
Code:
IPTABLES_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns"
Finally restart iptables service with.
Code:
service iptables restart
It is all from my memory, as it is long time since I used version 6.
So you better check everything and know what you are doing before applying.

Further more, stop ignoring TB0ne advices. He does that for a reason, and they seem good ones to me.
If I remember right you need to use the helper module in your rules as well:

Code:
-A INPUT -m helper --helper "ftp"  -m state --state RELATED -j ACCEPT
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP error -ftp://192.168.122.176/repodata/repomd.xml: [Errrno 14] FTP error 550 - petespa CentOS 3 11-28-2015 05:07 PM
when I use ftp://user@ftp.blah.com it works. But when I type just ftp.blah.com says.. hunterhunter Linux - General 15 03-05-2014 09:12 AM
[SOLVED] FTP Server behind NAT (IPtables) List FTP directories Problem turki_00 Linux - Newbie 5 02-05-2012 08:44 AM
ftp from LInux to Serv-U ftp server problem csross Linux - General 2 11-07-2005 04:35 PM
problem with ftp on mandrake 10.1 Official, ftp speeds system wide (anybody noticed?) equinox Mandriva 15 11-10-2004 02:07 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 07:29 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration