Re: Issue with ftp making connection but not list?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 09/07/2016 05:26 PM, Michael D. Setzer II wrote:
On 7 Sep 2016 at 16:32, Mike Wright wrote:

<snip>

1) ftp uses tcp
2) ftp uses port 21 in both ACTIVE and PASSIVE modes
3) ftp also uses port 20 in ACTIVE mode

I want to make sure I understand what is going on.

d7r is the fedora24 host, correct?

ftp from d7q to d7r (192.168.7.218) does not work, correct?

ftp from d7q to d7t (192.168.7.220) works, is that correct?

If you turn off the firewall on d7r you can successfully ftp from d7q to d7r, correct?

What I see is:

--> 1 d7r.guamcc.net (192.168.7.218) 0.199 ms !X 0.154 ms !X 0.141 ms

The above line shows a "prohibited" status when tracerouting to d7r.

--> [msetzerii@d7q ~]$ ncftpls ftp://192.168.7.218
--> connect failed: No route to host.

The above error could indicate that a desired port is not open or it may be because access to that host is "prohibited" in some way.

The iptables-save output from host d7r that you provided shows only port 21 tcp open so you MUST use PASSIVE mode when connecting to that machine.

It is possible that you are using ACTIVE mode. If so, the firewall must also allow port 20 tcp to accept connections.





   traceroute to 192.168.7.220 (192.168.7.220), 30 hops max, 60 byte
   packets

    1  d7t.guamcc.net (192.168.7.220)  0.122 ms  0.091 ms  0.080 ms

   traceroute to 192.168.7.218 (192.168.7.218), 30 hops max, 60 byte
   packets

   !X

I don't use firewalld but I do speak iptables so I'll try to help if I can.

All of the "COMMAND_FAILED" errors are from something trying to delete
rules from the firewall, rules that apparently don't exist.

As root, on d7t, would you please post the results of iptables-save?


Using machine d7q and d7r. Started the vsftp on d7r, and works if on d7r I
disable the firewalld service, but not if it is running?

With the Firewalld stopped on d7r (192.168.7.218)
[msetzerii@d7q ~]$ ncftpls ftp://192.168.7.218
pub/

With the Firewalld started on d7r (192.168.7.218)
[msetzerii@d7q ~]$ ncftpls ftp://192.168.7.218
connect failed: No route to host.
connect failed: No route to host.
connect failed: No route to host.
Falling back to PORT instead of PASV mode.
[msetzerii@d7q ~]$

iptables-save output of d7r
# Generated by iptables-save v1.4.21 on Thu Sep  8 10:12:45 2016
*mangle
:PREROUTING ACCEPT [134:8757]
:INPUT ACCEPT [134:8757]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [90:16750]
:POSTROUTING ACCEPT [90:16750]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM
--checksum-fill
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i enp2s0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Sep  8 10:12:45 2016
# Generated by iptables-save v1.4.21 on Thu Sep  8 10:12:45 2016
*raw
:PREROUTING ACCEPT [134:8757]
:OUTPUT ACCEPT [90:16750]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Sep  8 10:12:45 2016
# Generated by iptables-save v1.4.21 on Thu Sep  8 10:12:45 2016
*nat
:PREROUTING ACCEPT [7:384]
:INPUT ACCEPT [2:148]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j
MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j
MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j
MASQUERADE
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o enp2s0 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i enp2s0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Sep  8 10:12:45 2016
# Generated by iptables-save v1.4.21 on Thu Sep  8 10:12:45 2016
*security
:INPUT ACCEPT [129:8521]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [90:16750]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Sep  8 10:12:45 2016
# Generated by iptables-save v1.4.21 on Thu Sep  8 10:12:45 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [90:16750]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i enp2s0 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o enp2s0 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i enp2s0 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m
conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 5900:5979 -m conntrack --ctstate
NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 9000:9001 -m conntrack --ctstate
NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 5979 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -p udp -m udp --dport 9000:9001 -m conntrack --ctstate
NEW -j ACCEPT
COMMIT
# Completed on Thu Sep  8 10:12:45 2016


   Again, it was working 2 days ago, so I am thinking that a recent update
   has done something??

   Not sure why the !X is occurring. These machines are on the same
   192.168.7.x network?

!X is traceroute's way of saying "communication administratively
prohibited".  Looks like there is a rule saying something like -j REJECT
--reject-with icmp-{net,host,admin}-prohibited somewhere in the firewall
ruleset.  We can find it in the above requested iptables-save data.
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org



[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux