Solved

ipchains and ftp

Posted on 2000-04-19
9
369 Views
Last Modified: 2010-03-18
I'm currently unable to FTP to a machine that has ipchains running on it. I know that for ftp you need the ip_masq_ftp module. I've installed this implicitly using linuxconf(1.17r3) and if I do an lsmod I can see that it has been loaded, although used has 0 for a value. What am I doing wrong?
Thanks
0
Comment
Question by:tibori
  • 5
  • 4
9 Comments
 

Expert Comment

by:macleajb
ID: 2732926
ip_masq_ftp is only needed if you are a box providing a gateway from one network to another. This does not appear to be that case.
.. ftp uses two data channels, the first is port 21 and it is easily configured with ipchains (on either box). The second is a more random port that both boxes decide on. If ipchains is blocking the port range that contains the port the client and server have decided on, then the connection will allow you to log in, but you will get no response to commands like 'ls'.
.. if you are _not_ running ipchains, then you can use tcpdump on either/both hosts to see if any communication is being allowed.
.. also is the ftp daemon running on the target box?
0
 

Expert Comment

by:macleajb
ID: 2734016
ip_masq_ftp is only needed if you are a box providing a gateway from one network to another. This does not appear to be that case.
.. ftp uses two data channels, the first is port 21 and it is easily configured with ipchains (on either box). The second is a more random port that both boxes decide on. If ipchains is blocking the port range that contains the port the client and server have decided on, then the connection will allow you to log in, but you will get no response to commands like 'ls'.
.. if you are _not_ running ipchains, then you can use tcpdump on either/both hosts to see if any communication is being allowed.
.. also is the ftp daemon running on the target box?
0
 
LVL 3

Author Comment

by:tibori
ID: 2735952
macleajb: Actually this machine is a gateway for dialup users to access the lan and vice versa. I am not sure if the ftp service is running(how do I check?) I can see the inetd running, and in inetd.conf the ftp line is uncommented? What else should I be checking for?
Thanks
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Accepted Solution

by:
macleajb earned 30 total points
ID: 2736004
If you have access to the machine, run "netstat -ln" and look for a line with :21 for :ftp.
Then try to telnet to that box port 21 "telnet <ip> 21" and see if you get a connect. If you get a connection refused, or ot times out, and you saw that port 21 was available, then ipchains could be blocking traffic. To find out take a look at the output of "ipchains -L -n" and see if it is blocking port 21 (REJECT). Also, are you able to ftp past/through the box to a box on the other side of it? Does other traffic get through?
0
 
LVL 3

Author Comment

by:tibori
ID: 2736140
Trying to telnet to port 21 gives me the following:
Trying 192.168.4.200...
Connected to hostname.domainname.com.
Escape character is '^]'.
Connection closed by foreign host.  
Doing a ipchains -L -n shows the firewall settings(which I set up) and they seem correct. Here's what it looks like:
Chain input (policy ACCEPT):
Chain forward (policy DENY):
target     prot opt     source                destination           ports
MASQ       all  ----l-  192.168.6.0/24       0.0.0.0/0             n/a
MASQ       all  ------  192.168.4.0/24       192.168.6.0/24        n/a
MASQ       all  ----l-  192.168.10.10        192.168.6.0/24        n/a
Chain output (policy ACCEPT):  

The 6's are the dialup users, the 4's are the LAN users and the 10 is a point-to-point to another LAN.
Any problems you see there?
BTW, there's only one netcard in this machine(is that a problem)
Thanks                                            
0
 

Expert Comment

by:macleajb
ID: 2736583
A simple thought. Did you check /etc/hosts.allow and /etc/hosts.deny to make sure ftpd (probably in.ftpd) is referenced there to be allowed? I expect you are using /usr/sbin/tcpd (tcp-wrappers)?
0
 
LVL 3

Author Comment

by:tibori
ID: 2744933
Well there are no entries in the /etc/hosts.allow and hosts.deny files. I am using tcpd. The interesting thing is that I can't even ftp to localhost, or even ftp to 127.0.0.1. So it seems that it's either a routing problem or the ftp server is not running. Trying to do a "whereis in.ftpd" comes up with all the others (eg in.fingerd, in.telnetd) except in.ftpd. If by some chance this file was deleted where do I look for it and how do I put it back?
Thanks
0
 
LVL 3

Author Comment

by:tibori
ID: 2745168
Alright that was the problem. I just copied the in.ftpd from another system to this system and it solved the problem. If you can tell me what package(rpm for RH6.1) this ftpd is part of the points are yours.
Thanks
0
 
LVL 3

Author Comment

by:tibori
ID: 2745352
Never mind. I found the package that was missing: wu-ftpd.
Installing it fiexed everything.
Thanks for all your help.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SIP Trunk provider 20 127
how to monitor remote shell execution on linux 9 100
iptables ubuntu BLOCK all 2 83
Debian 8.5 networking quits working every couple of hours 13 101
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now