Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

ipchains and ftp

Posted on 2000-04-19
9
Medium Priority
?
390 Views
Last Modified: 2010-03-18
I'm currently unable to FTP to a machine that has ipchains running on it. I know that for ftp you need the ip_masq_ftp module. I've installed this implicitly using linuxconf(1.17r3) and if I do an lsmod I can see that it has been loaded, although used has 0 for a value. What am I doing wrong?
Thanks
0
Comment
Question by:tibori
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 

Expert Comment

by:macleajb
ID: 2732926
ip_masq_ftp is only needed if you are a box providing a gateway from one network to another. This does not appear to be that case.
.. ftp uses two data channels, the first is port 21 and it is easily configured with ipchains (on either box). The second is a more random port that both boxes decide on. If ipchains is blocking the port range that contains the port the client and server have decided on, then the connection will allow you to log in, but you will get no response to commands like 'ls'.
.. if you are _not_ running ipchains, then you can use tcpdump on either/both hosts to see if any communication is being allowed.
.. also is the ftp daemon running on the target box?
0
 

Expert Comment

by:macleajb
ID: 2734016
ip_masq_ftp is only needed if you are a box providing a gateway from one network to another. This does not appear to be that case.
.. ftp uses two data channels, the first is port 21 and it is easily configured with ipchains (on either box). The second is a more random port that both boxes decide on. If ipchains is blocking the port range that contains the port the client and server have decided on, then the connection will allow you to log in, but you will get no response to commands like 'ls'.
.. if you are _not_ running ipchains, then you can use tcpdump on either/both hosts to see if any communication is being allowed.
.. also is the ftp daemon running on the target box?
0
 
LVL 3

Author Comment

by:tibori
ID: 2735952
macleajb: Actually this machine is a gateway for dialup users to access the lan and vice versa. I am not sure if the ftp service is running(how do I check?) I can see the inetd running, and in inetd.conf the ftp line is uncommented? What else should I be checking for?
Thanks
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Accepted Solution

by:
macleajb earned 90 total points
ID: 2736004
If you have access to the machine, run "netstat -ln" and look for a line with :21 for :ftp.
Then try to telnet to that box port 21 "telnet <ip> 21" and see if you get a connect. If you get a connection refused, or ot times out, and you saw that port 21 was available, then ipchains could be blocking traffic. To find out take a look at the output of "ipchains -L -n" and see if it is blocking port 21 (REJECT). Also, are you able to ftp past/through the box to a box on the other side of it? Does other traffic get through?
0
 
LVL 3

Author Comment

by:tibori
ID: 2736140
Trying to telnet to port 21 gives me the following:
Trying 192.168.4.200...
Connected to hostname.domainname.com.
Escape character is '^]'.
Connection closed by foreign host.  
Doing a ipchains -L -n shows the firewall settings(which I set up) and they seem correct. Here's what it looks like:
Chain input (policy ACCEPT):
Chain forward (policy DENY):
target     prot opt     source                destination           ports
MASQ       all  ----l-  192.168.6.0/24       0.0.0.0/0             n/a
MASQ       all  ------  192.168.4.0/24       192.168.6.0/24        n/a
MASQ       all  ----l-  192.168.10.10        192.168.6.0/24        n/a
Chain output (policy ACCEPT):  

The 6's are the dialup users, the 4's are the LAN users and the 10 is a point-to-point to another LAN.
Any problems you see there?
BTW, there's only one netcard in this machine(is that a problem)
Thanks                                            
0
 

Expert Comment

by:macleajb
ID: 2736583
A simple thought. Did you check /etc/hosts.allow and /etc/hosts.deny to make sure ftpd (probably in.ftpd) is referenced there to be allowed? I expect you are using /usr/sbin/tcpd (tcp-wrappers)?
0
 
LVL 3

Author Comment

by:tibori
ID: 2744933
Well there are no entries in the /etc/hosts.allow and hosts.deny files. I am using tcpd. The interesting thing is that I can't even ftp to localhost, or even ftp to 127.0.0.1. So it seems that it's either a routing problem or the ftp server is not running. Trying to do a "whereis in.ftpd" comes up with all the others (eg in.fingerd, in.telnetd) except in.ftpd. If by some chance this file was deleted where do I look for it and how do I put it back?
Thanks
0
 
LVL 3

Author Comment

by:tibori
ID: 2745168
Alright that was the problem. I just copied the in.ftpd from another system to this system and it solved the problem. If you can tell me what package(rpm for RH6.1) this ftpd is part of the points are yours.
Thanks
0
 
LVL 3

Author Comment

by:tibori
ID: 2745352
Never mind. I found the package that was missing: wu-ftpd.
Installing it fiexed everything.
Thanks for all your help.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question