Michael Stenner wrote: >On Fri, May 21, 2004 at 12:00:30AM -0500, mw-list-yum@xxxxxx wrote: > > >>[Errno 4] IOError: [Errno ftp error] (113, 'No route to host') >> >>I get the following clue when I use ncftp: >> >># ncftp moni.msci.memphis.edu >>NcFTP 3.1.6 (Aug 25, 2003) by Mike Gleason (http://www.NcFTP.com/contact/). >>Connecting to 141.225.11.87... >>Welcome to the FTP service on moni.msci at the University of Memphis. >>Logging in... >>Login successful. >>Logged in to moni.msci.memphis.edu. >>ncftp / > cd pub/fedora/linux/core/2/i386/os/headers/ >>Directory successfully changed. >>ncftp ...core/2/i386/os/headers > ls -l header.info >>connect failed: No route to host. >>Falling back to PORT instead of PASV mode. >>-rw-r--r-- 1 0 0 111939 May 13 11:11 header.info >> >>The ftp server is running FC2 with vsftpd. >> >>Any advice appreciated. >> >> > >Hrm. That is interesting. "no route to host" is (surprise surprise) >a routing problem, but that puzzles me since PASV should be doing >pretty much the same thing for both types of connections. I don't >remember the details of how it works, though. You might also try >running a packet sniffer like ethereal to see what's happening. > >Hmm. Does the server identify itself for the second connection? If >so, is it identifying itself incorrectly? > > -Michael > > here is what I did to get passive mode working with vsftpd and iptables on FC1: in vsftpd.conf add: pasv_min_port=50000 pasv_max_port=60000 in /etc/modules.conf add: above ip_conntrack ip_conntrack_ftp the following iptables rules: <> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 129.174.0.0/16 --dport 21 --syn -j ACCEPT<> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 50000:60000 -m state --state ESTABLISHED,RELATED -j ACCEPT <>in addition to: -A RH-Lokkit-0-50-INPUT -p udp -m udp -j DROP<> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j DROP
