On 7 Sep 2016 at 16:32, Mike Wright wrote: Subject: Re: Issue with ftp making connection but not list? To: Community support for Fedora users <users@xxxxxxxxxxxxxxxxxxxxxxx> From: Mike Wright <nobody@xxxxxxxxxxxxxxxxxxxx> Date sent: Wed, 7 Sep 2016 16:32:05 -0700 Send reply to: Community support for Fedora users <users@xxxxxxxxxxxxxxxxxxxxxxx> > On 09/07/2016 03:55 PM, Michael D. Setzer II wrote: > > On 7 Sep 2016 at 13:50, Fred Smith wrote: > > > > Date sent: Wed, 7 Sep 2016 13:50:21 -0400 > > From: Fred Smith <fredex@xxxxxxxxxxxxxxxxxxxxxx> > > To: users@xxxxxxxxxxxxxxxxxxxxxxx > > Subject: Re: Issue with ftp making connection but not list? > > Send reply to: Community support for Fedora users > > <users@xxxxxxxxxxxxxxxxxxxxxxx> > > > >> On Thu, Sep 08, 2016 at 03:17:32AM +1000, Michael D. Setzer II wrote: > >>> Everything was working till just the other day? I've done more testing, > >>> and it has something to do with firewalld and iptables. > >>> > >>> I found that if I traceroute to machines not running fedora 24 it > >>> complete, but with fedora 24 machine I am getting !X > >>> > >>> I stopped firewalld and iptables on machine d7t and then I can complete > >>> a traceroute and ftp to the machine. > >> > >> while I'm surely not an expert, I think that at this time I would open > >> up the firewall applet on the remote systems and make sure that both > >> ports necessary for ftp are in fact open. According to /etc/services, > >> that would be ports 20 and 21, for both tcp and udp. > >> > >> ftp-data 20/tcp > >> ftp-data 20/udp > >> # 21 is registered to ftp, but also used by fsp > >> ftp 21/tcp > >> ftp 21/udp fsp fspd > >> > > > > Did check /etc/services and the ports are listed. > > The firewall-config has the ftp service check, but had also tried adding the > > ports 20-21 as ports to open. Not sure how that would effect the traceroute > > anyway, but only currently shuting down firewalld and iptables seems to get > > the process to work correctly. Specific machines are in my classroom, and > > are connected to the same switch. > > > > > > > >>> > >>> traceroute to 192.168.7.220 (192.168.7.220), 30 hops max, 60 byte > >>> packets > >>> > >>> 1 d7t.guamcc.net (192.168.7.220) 0.122 ms 0.091 ms 0.080 ms > >>> > >>> traceroute to 192.168.7.218 (192.168.7.218), 30 hops max, 60 byte > >>> packets > >>> > >>> 1 d7r.guamcc.net (192.168.7.218) 0.199 ms !X 0.154 ms !X 0.141 ms > >>> !X > >>> > >>> Also have 3 old ubuntu machine, and traceroute to them with no problem > >>> with the !X. > >>> > >>> Did not with the firewald status I am seeing this. > >>> > >>> · firewalld.service - firewalld - dynamic firewall daemon > >>> > >>> Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; > >>> vendor preset: enabled) > >>> > >>> Active: active (running) since Thu 2016-09-08 02:53:53 ChST; 41s ago > >>> > >>> Docs: man:firewalld(1) > >>> > >>> Main PID: 11258 (firewalld) > >>> > >>> Tasks: 3 (limit: 512) > >>> > >>> CGroup: /system.slice/firewalld.service > >>> > >>> └─11258 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork > >>> --nopid > >>> > >>> Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: > >>> COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD > >>> --destination 192.168.122.0/24 --out-interface virbr0 --match conntrack > >>> --ctstate ESTABLISHED,RELATED --jump ACCEPT' failed: > >>> > >>> Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: > >>> COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD > >>> --source 192.168.122.0/24 --in-interface virbr0 --jump ACCEPT' failed: > >>> > >>> Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: > >>> COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD > >>> --in-interface virbr0 --out-interface virbr0 --jump ACCEPT' failed: > >>> > >>> Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: > >>> COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD > >>> --out-interface virbr0 --jump REJECT' failed: > >>> > >>> Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: > >>> COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD > >>> --in-interface virbr0 --jump REJECT' failed: > >>> > >>> Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: > >>> COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT > >>> --in-interface virbr0 --protocol udp --destination-port 53 --jump > >>> ACCEPT' failed: > >>> > >>> Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: > >>> COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT > >>> --in-interface virbr0 --protocol tcp --destination-port 53 --jump > >>> ACCEPT' failed: > >>> > >>> Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: > >>> COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete OUTPUT > >>> --out-interface virbr0 --protocol udp --destination-port 68 --jump > >>> ACCEPT' failed: > >>> > >>> Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: > >>> COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT > >>> --in-interface virbr0 --protocol udp --destination-port 67 --jump > >>> ACCEPT' failed: > >>> > >>> Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: > >>> COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT > >>> --in-interface virbr0 --protocol tcp --destination-port 67 --jump > >>> ACCEPT' failed: > > I don't use firewalld but I do speak iptables so I'll try to help if I can. > > All of the "COMMAND_FAILED" errors are from something trying to delete > rules from the firewall, rules that apparently don't exist. > > As root, on d7t, would you please post the results of iptables-save? > Using machine d7q and d7r. Started the vsftp on d7r, and works if on d7r I disable the firewalld service, but not if it is running? With the Firewalld stopped on d7r (192.168.7.218) [msetzerii@d7q ~]$ ncftpls ftp://192.168.7.218 pub/ With the Firewalld started on d7r (192.168.7.218) [msetzerii@d7q ~]$ ncftpls ftp://192.168.7.218 connect failed: No route to host. connect failed: No route to host. connect failed: No route to host. Falling back to PORT instead of PASV mode. [msetzerii@d7q ~]$ iptables-save output of d7r # Generated by iptables-save v1.4.21 on Thu Sep 8 10:12:45 2016 *mangle :PREROUTING ACCEPT [134:8757] :INPUT ACCEPT [134:8757] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [90:16750] :POSTROUTING ACCEPT [90:16750] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A POSTROUTING -j POSTROUTING_direct -A PREROUTING_ZONES -i enp2s0 -g PRE_public -A PREROUTING_ZONES -g PRE_public -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT # Completed on Thu Sep 8 10:12:45 2016 # Generated by iptables-save v1.4.21 on Thu Sep 8 10:12:45 2016 *raw :PREROUTING ACCEPT [134:8757] :OUTPUT ACCEPT [90:16750] :OUTPUT_direct - [0:0] :PREROUTING_direct - [0:0] -A PREROUTING -j PREROUTING_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Thu Sep 8 10:12:45 2016 # Generated by iptables-save v1.4.21 on Thu Sep 8 10:12:45 2016 *nat :PREROUTING ACCEPT [7:384] :INPUT ACCEPT [2:148] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_ZONES - [0:0] :POSTROUTING_ZONES_SOURCE - [0:0] :POSTROUTING_direct - [0:0] :POST_public - [0:0] :POST_public_allow - [0:0] :POST_public_deny - [0:0] :POST_public_log - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING_ZONES -o enp2s0 -g POST_public -A POSTROUTING_ZONES -g POST_public -A POST_public -j POST_public_log -A POST_public -j POST_public_deny -A POST_public -j POST_public_allow -A PREROUTING_ZONES -i enp2s0 -g PRE_public -A PREROUTING_ZONES -g PRE_public -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT # Completed on Thu Sep 8 10:12:45 2016 # Generated by iptables-save v1.4.21 on Thu Sep 8 10:12:45 2016 *security :INPUT ACCEPT [129:8521] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [90:16750] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Thu Sep 8 10:12:45 2016 # Generated by iptables-save v1.4.21 on Thu Sep 8 10:12:45 2016 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [90:16750] :FORWARD_IN_ZONES - [0:0] :FORWARD_IN_ZONES_SOURCE - [0:0] :FORWARD_OUT_ZONES - [0:0] :FORWARD_OUT_ZONES_SOURCE - [0:0] :FORWARD_direct - [0:0] :FWDI_public - [0:0] :FWDI_public_allow - [0:0] :FWDI_public_deny - [0:0] :FWDI_public_log - [0:0] :FWDO_public - [0:0] :FWDO_public_allow - [0:0] :FWDO_public_deny - [0:0] :FWDO_public_log - [0:0] :INPUT_ZONES - [0:0] :INPUT_ZONES_SOURCE - [0:0] :INPUT_direct - [0:0] :IN_public - [0:0] :IN_public_allow - [0:0] :IN_public_deny - [0:0] :IN_public_log - [0:0] :OUTPUT_direct - [0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT -A OUTPUT -j OUTPUT_direct -A FORWARD_IN_ZONES -i enp2s0 -g FWDI_public -A FORWARD_IN_ZONES -g FWDI_public -A FORWARD_OUT_ZONES -o enp2s0 -g FWDO_public -A FORWARD_OUT_ZONES -g FWDO_public -A FWDI_public -j FWDI_public_log -A FWDI_public -j FWDI_public_deny -A FWDI_public -j FWDI_public_allow -A FWDI_public -p icmp -j ACCEPT -A FWDO_public -j FWDO_public_log -A FWDO_public -j FWDO_public_deny -A FWDO_public -j FWDO_public_allow -A INPUT_ZONES -i enp2s0 -g IN_public -A INPUT_ZONES -g IN_public -A IN_public -j IN_public_log -A IN_public -j IN_public_deny -A IN_public -j IN_public_allow -A IN_public -p icmp -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 5900:5979 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 9000:9001 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 5979 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p udp -m udp --dport 9000:9001 -m conntrack --ctstate NEW -j ACCEPT COMMIT # Completed on Thu Sep 8 10:12:45 2016 > >>> Again, it was working 2 days ago, so I am thinking that a recent update > >>> has done something?? > >>> > >>> Not sure why the !X is occurring. These machines are on the same > >>> 192.168.7.x network? > > !X is traceroute's way of saying "communication administratively > prohibited". Looks like there is a rule saying something like -j REJECT > --reject-with icmp-{net,host,admin}-prohibited somewhere in the firewall > ruleset. We can find it in the above requested iptables-save data. > -- > users mailing list > users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe or change subscription options: > https://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct > Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines > Have a question? Ask away: http://ask.fedoraproject.org +----------------------------------------------------------+ Michael D. Setzer II - Computer Science Instructor Guam Community College Computer Center mailto:mikes@xxxxxxxxxxxxxxxx mailto:msetzerii@xxxxxxxxx Guam - Where America's Day Begins G4L Disk Imaging Project maintainer http://sourceforge.net/projects/g4l/ +----------------------------------------------------------+ http://setiathome.berkeley.edu (Original) Number of Seti Units Returned: 19,471 Processing time: 32 years, 290 days, 12 hours, 58 minutes (Total Hours: 287,489) BOINC@HOME CREDITS ABC 16613838.513356 | EINSTEIN 111619174.788695 ROSETTA 48018352.619787 | SETI 91341742.472919 -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
