Solved

ipchains and ftp

Posted on 2000-04-19
9
365 Views
Last Modified: 2010-03-18
I'm currently unable to FTP to a machine that has ipchains running on it. I know that for ftp you need the ip_masq_ftp module. I've installed this implicitly using linuxconf(1.17r3) and if I do an lsmod I can see that it has been loaded, although used has 0 for a value. What am I doing wrong?
Thanks
0
Comment
Question by:tibori
  • 5
  • 4
9 Comments
 

Expert Comment

by:macleajb
ID: 2732926
ip_masq_ftp is only needed if you are a box providing a gateway from one network to another. This does not appear to be that case.
.. ftp uses two data channels, the first is port 21 and it is easily configured with ipchains (on either box). The second is a more random port that both boxes decide on. If ipchains is blocking the port range that contains the port the client and server have decided on, then the connection will allow you to log in, but you will get no response to commands like 'ls'.
.. if you are _not_ running ipchains, then you can use tcpdump on either/both hosts to see if any communication is being allowed.
.. also is the ftp daemon running on the target box?
0
 

Expert Comment

by:macleajb
ID: 2734016
ip_masq_ftp is only needed if you are a box providing a gateway from one network to another. This does not appear to be that case.
.. ftp uses two data channels, the first is port 21 and it is easily configured with ipchains (on either box). The second is a more random port that both boxes decide on. If ipchains is blocking the port range that contains the port the client and server have decided on, then the connection will allow you to log in, but you will get no response to commands like 'ls'.
.. if you are _not_ running ipchains, then you can use tcpdump on either/both hosts to see if any communication is being allowed.
.. also is the ftp daemon running on the target box?
0
 
LVL 3

Author Comment

by:tibori
ID: 2735952
macleajb: Actually this machine is a gateway for dialup users to access the lan and vice versa. I am not sure if the ftp service is running(how do I check?) I can see the inetd running, and in inetd.conf the ftp line is uncommented? What else should I be checking for?
Thanks
0
 

Accepted Solution

by:
macleajb earned 30 total points
ID: 2736004
If you have access to the machine, run "netstat -ln" and look for a line with :21 for :ftp.
Then try to telnet to that box port 21 "telnet <ip> 21" and see if you get a connect. If you get a connection refused, or ot times out, and you saw that port 21 was available, then ipchains could be blocking traffic. To find out take a look at the output of "ipchains -L -n" and see if it is blocking port 21 (REJECT). Also, are you able to ftp past/through the box to a box on the other side of it? Does other traffic get through?
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 3

Author Comment

by:tibori
ID: 2736140
Trying to telnet to port 21 gives me the following:
Trying 192.168.4.200...
Connected to hostname.domainname.com.
Escape character is '^]'.
Connection closed by foreign host.  
Doing a ipchains -L -n shows the firewall settings(which I set up) and they seem correct. Here's what it looks like:
Chain input (policy ACCEPT):
Chain forward (policy DENY):
target     prot opt     source                destination           ports
MASQ       all  ----l-  192.168.6.0/24       0.0.0.0/0             n/a
MASQ       all  ------  192.168.4.0/24       192.168.6.0/24        n/a
MASQ       all  ----l-  192.168.10.10        192.168.6.0/24        n/a
Chain output (policy ACCEPT):  

The 6's are the dialup users, the 4's are the LAN users and the 10 is a point-to-point to another LAN.
Any problems you see there?
BTW, there's only one netcard in this machine(is that a problem)
Thanks                                            
0
 

Expert Comment

by:macleajb
ID: 2736583
A simple thought. Did you check /etc/hosts.allow and /etc/hosts.deny to make sure ftpd (probably in.ftpd) is referenced there to be allowed? I expect you are using /usr/sbin/tcpd (tcp-wrappers)?
0
 
LVL 3

Author Comment

by:tibori
ID: 2744933
Well there are no entries in the /etc/hosts.allow and hosts.deny files. I am using tcpd. The interesting thing is that I can't even ftp to localhost, or even ftp to 127.0.0.1. So it seems that it's either a routing problem or the ftp server is not running. Trying to do a "whereis in.ftpd" comes up with all the others (eg in.fingerd, in.telnetd) except in.ftpd. If by some chance this file was deleted where do I look for it and how do I put it back?
Thanks
0
 
LVL 3

Author Comment

by:tibori
ID: 2745168
Alright that was the problem. I just copied the in.ftpd from another system to this system and it solved the problem. If you can tell me what package(rpm for RH6.1) this ftpd is part of the points are yours.
Thanks
0
 
LVL 3

Author Comment

by:tibori
ID: 2745352
Never mind. I found the package that was missing: wu-ftpd.
Installing it fiexed everything.
Thanks for all your help.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now