I am setting up a server at home (started ages ago, but too busy to get finished :o) )
and trying to get files from my real server by FTP. both servers have same version as listed below. looking on the web it seems like a firewall problem.
rules show ftp and ftp-data ports as enabled.
Accept If protocol is UDP and destination port is ftp-data
Accept If protocol is UDP and destination port is ftp
Accept If protocol is TCP and destination port is ftp
Accept If protocol is TCP and destination port is domain
any suggestions as what I can look at to get ftp working? have not stopped firewall (not sure how). I'm behind a DSL router so it spossible that I need to enable something on that ?
thanks Brian
Webmin version 1.480
Virtualmin version 3.70 Pro
Operating system CentOS Linux 5.3
Perl version 5.008008
Path to Perl /usr/bin/perl
Postfix version 2.3.3
Mail injection command /usr/lib/sendmail -t
BIND version 9.3.4
Apache version 2.2.3
PHP version 5.1.6
Webalizer version 2.01-10
Logrotate version 3.7.4
MySQL version 5.0.45
ProFTPd version 1.30
SpamAssasssin version 3.2.5
ClamAV version 0.95.2
you need to open port 21 on the router for the IP that the server is on by logging into the router, often http://192.168.1.1
I forgto I already set Port 21to point to server.
tried disabling firewall, also also tried setting up port 20, but not able to as yet.
then you need to find clues in your logs as to why it fails...
thanks, can't find any clues :o(
have separate windows and linux computers behind router.
windows works fine as I can ftp and get access to the same server.
if I access a separate server (running Direct Admin) I can FTP it fine its only a problem when I am trying to connect to my new server from linux. I used 'sftp' and strangley that worked
have been browsing google to see if I can find any solution, but none as yet. I will keep looking.
point of the exercise is so I can do a backup of live server using 'wget' which does not work as it gives the same problem as ftp.
Brian
have found that if I turn off the router firewall and set PASSIVE mode off then I can FTP into the server (which is a step forward :o) ) still can't get the ftp out though, so reckon it must be firwall on the test server at home.
on my local server the firewall settings shows the following chain having a reject always. if i remove that I can now get the FTP to work. so some port needs to be enable, anybody any suggestions. should I add ports 20 and 21 in this chain even thoug they ar elisted in the chain Incoming packets (INPUT) ?
thnaks for any advice.
Chain RH-Firewall-1-INPUT Select all. | Invert selection. Action Condition Move Add
Accept If input interface is lo
Accept If protocol is ICMP and ICMP type is any
Accept If protocol is 50
Accept If protocol is 51
Accept If protocol is UDP and destination is 224.0.0.251 and destination port is 5353
Accept If protocol is UDP and destination port is 631
Accept If protocol is TCP and destination port is 631
Accept If state of connection is ESTABLISHED,RELATED
Accept If protocol is TCP and destination port is 22 and state of connection is NEW
Reject Always
on top of Incoming packets (INPUT) you need:
Accept If protocol is TCP and destination port is ftp
Accept If protocol is UDP and destination port is ftp
Accept If protocol is UDP and destination port is ftp-data
Accept If protocol is TCP and destination port is ftp-data
you don't need them in the chain
what i have learned is to have lower numbers on top and high numbers below.
21
22
51
53
110
631
cheers, I tried that but no difference. I can get it to work with turning off firewall in router and removing "Reject Always"
just need to make sure I always rememebr to tunr on firewall each time.
(though I am getting closer to finding out what the problem is :o) )
odd, is your ftp server actually running on port 21 then ?
yep, its odd :o)
I have not changed it so I am presuming it is. I will check the configuration.
thanks
can you post the output of: # iptables -L
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ACCEPT udp -- anywhere anywhere udp dpt:ftp ACCEPT udp -- anywhere anywhere udp dpt:ftp-data ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:dnp ACCEPT tcp -- anywhere anywhere tcp dpt:ndmp ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:imaps ACCEPT tcp -- anywhere anywhere tcp dpt:imap ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:ssh RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
try:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT udp -- anywhere anywhere udp dpt:ftp
ACCEPT udp -- anywhere anywhere udp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:ndmp
ACCEPT tcp -- anywhere anywhere tcp dpt:dnp
REJECT tcp -- anywhere anywhere tcp dpt:0 reject-with icmp-port-unreachable
RH-Firewall-1-INPUT all -- anywhere anywhere
and
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
After you save, you have to click apply configuration.
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT udp -- anywhere anywhere udp dpt:ftp
ACCEPT udp -- anywhere anywhere udp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:ndmp
ACCEPT tcp -- anywhere anywhere tcp dpt:dnp
REJECT tcp -- anywhere anywhere tcp dpt:0 reject-with icmp-port-unreachable
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
only difference I see now is
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
which is the 4th line from the bottom.
the ssh line shouldn't be there. it is already in the input before the RH chain. After you remove it and apply the configuration then the firewall shouldn't be the issue.
If ftp still doesn't work then the exact setup of your network would lead to more clues as to what can and what can not be done.
have removed that line and still the same problem. I will need to look at it again later (probaly tomorrow) thanks for your help.