On 09/07/2016 03:55 PM, Michael D. Setzer II wrote:
On 7 Sep 2016 at 13:50, Fred Smith wrote:
Date sent: Wed, 7 Sep 2016 13:50:21 -0400
From: Fred Smith <fredex@xxxxxxxxxxxxxxxxxxxxxx>
To: users@xxxxxxxxxxxxxxxxxxxxxxx
Subject: Re: Issue with ftp making connection but not list?
Send reply to: Community support for Fedora users
<users@xxxxxxxxxxxxxxxxxxxxxxx>
On Thu, Sep 08, 2016 at 03:17:32AM +1000, Michael D. Setzer II wrote:
Everything was working till just the other day? I've done more testing,
and it has something to do with firewalld and iptables.
I found that if I traceroute to machines not running fedora 24 it
complete, but with fedora 24 machine I am getting !X
I stopped firewalld and iptables on machine d7t and then I can complete
a traceroute and ftp to the machine.
while I'm surely not an expert, I think that at this time I would open
up the firewall applet on the remote systems and make sure that both
ports necessary for ftp are in fact open. According to /etc/services,
that would be ports 20 and 21, for both tcp and udp.
ftp-data 20/tcp
ftp-data 20/udp
# 21 is registered to ftp, but also used by fsp
ftp 21/tcp
ftp 21/udp fsp fspd
Did check /etc/services and the ports are listed.
The firewall-config has the ftp service check, but had also tried adding the
ports 20-21 as ports to open. Not sure how that would effect the traceroute
anyway, but only currently shuting down firewalld and iptables seems to get
the process to work correctly. Specific machines are in my classroom, and
are connected to the same switch.
traceroute to 192.168.7.220 (192.168.7.220), 30 hops max, 60 byte
packets
1 d7t.guamcc.net (192.168.7.220) 0.122 ms 0.091 ms 0.080 ms
traceroute to 192.168.7.218 (192.168.7.218), 30 hops max, 60 byte
packets
1 d7r.guamcc.net (192.168.7.218) 0.199 ms !X 0.154 ms !X 0.141 ms
!X
Also have 3 old ubuntu machine, and traceroute to them with no problem
with the !X.
Did not with the firewald status I am seeing this.
· firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled;
vendor preset: enabled)
Active: active (running) since Thu 2016-09-08 02:53:53 ChST; 41s ago
Docs: man:firewalld(1)
Main PID: 11258 (firewalld)
Tasks: 3 (limit: 512)
CGroup: /system.slice/firewalld.service
└─11258 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork
--nopid
Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING:
COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD
--destination 192.168.122.0/24 --out-interface virbr0 --match conntrack
--ctstate ESTABLISHED,RELATED --jump ACCEPT' failed:
Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING:
COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD
--source 192.168.122.0/24 --in-interface virbr0 --jump ACCEPT' failed:
Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING:
COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD
--in-interface virbr0 --out-interface virbr0 --jump ACCEPT' failed:
Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING:
COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD
--out-interface virbr0 --jump REJECT' failed:
Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING:
COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD
--in-interface virbr0 --jump REJECT' failed:
Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING:
COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT
--in-interface virbr0 --protocol udp --destination-port 53 --jump
ACCEPT' failed:
Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING:
COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT
--in-interface virbr0 --protocol tcp --destination-port 53 --jump
ACCEPT' failed:
Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING:
COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete OUTPUT
--out-interface virbr0 --protocol udp --destination-port 68 --jump
ACCEPT' failed:
Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING:
COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT
--in-interface virbr0 --protocol udp --destination-port 67 --jump
ACCEPT' failed:
Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING:
COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT
--in-interface virbr0 --protocol tcp --destination-port 67 --jump
ACCEPT' failed:
I don't use firewalld but I do speak iptables so I'll try to help if I can.
All of the "COMMAND_FAILED" errors are from something trying to delete
rules from the firewall, rules that apparently don't exist.
As root, on d7t, would you please post the results of iptables-save?
Again, it was working 2 days ago, so I am thinking that a recent update
has done something??
Not sure why the !X is occurring. These machines are on the same
192.168.7.x network?
!X is traceroute's way of saying "communication administratively
prohibited". Looks like there is a rule saying something like -j REJECT
--reject-with icmp-{net,host,admin}-prohibited somewhere in the firewall
ruleset. We can find it in the above requested iptables-save data.
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
