FTP Issue behind Centos 6 Firewall

[vndpundir2007]

Hello,

I have installed Centos 6 on my server which is acting as a Proxy Server and Firewall for my network. Everything is running smooth and fine. But i am getting a very weird issue now. The issue is:

When i connect with a remote ftp server from a client machine which is behind this Centos 6 firewall, i successfully connect with the ftp. But when i am trying to download or view/edit a file, ftp stuck in middle of the process. In first sight, it seems like remote ftp server is mis-configured. But when i connect with this remote ftp with public ip, i am successfully downloading and view/edit the files. So now it means there is something wrong with the Centos6 server which is acting as a firewall in middle of the ftp connection from client to server. Both Incoming and Outgoing connection for ftp is allowed on firewall [using iptables] and squid proxy is already configured with allow ftp acl.
I dont know what is wrong with the Centos 6 server. This problem has occurred many time before and it automatically resolved and few times when i entered below commands it started working:

modprobe ip_nat_ftp
modprobe ip_conntrack_ftp

But now these commands are not able to resolve my issue.

Please help. If you need some other information, you can ask me.


Thanks..

[msohail]

Hello,

I have installed Centos 6 on my server which is acting as a Proxy Server and Firewall for my network. Everything is running smooth and fine. But i am getting a very weird issue now. The issue is:

When i connect with a remote ftp server from a client machine which is behind this Centos 6 firewall, i successfully connect with the ftp. But when i am trying to download or view/edit a file, ftp stuck in middle of the process. In first sight, it seems like remote ftp server is mis-configured. But when i connect with this remote ftp with public ip, i am successfully downloading and view/edit the files. So now it means there is something wrong with the Centos6 server which is acting as a firewall in middle of the ftp connection from client to server. Both Incoming and Outgoing connection for ftp is allowed on firewall [using iptables] and squid proxy is already configured with allow ftp acl.
I dont know what is wrong with the Centos 6 server. This problem has occurred many time before and it automatically resolved and few times when i entered below commands it started working:

modprobe ip_nat_ftp
modprobe ip_conntrack_ftp

But now these commands are not able to resolve my issue.

Please help. If you need some other information, you can ask me.


Thanks..

Can you please post your FTP configuration and IP tables rules (iptables -L and iptables -t nat -L) ?

Did you try to edit files after flushing the firewall (iptables -F) ?

Jazak Allah,
Sohail

[vndpundir2007]

Can you please post your FTP configuration and IP tables rules (iptables -L and iptables -t nat -L) ?

Did you try to edit files after flushing the firewall (iptables -F) ?

Jazak Allah,
Sohail

Thanks for reply. Sohail i have not configured any ftp server. This is remote ftp server. Following are the output of commands which you have asked.

Output of 'iptables -L'

>>
>>
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere state NEW tcp dptop3s
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination



..
>>
Output of iptables -t nat -L

>>
>>
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

>>


Yes i have already tried flushing the rules and then re-generate them.


And one more thing i want to add here is that i am not getting this connectivity issue with all remote ftp but with few only.

[msohail]

Thanks for reply. Sohail i have not configured any ftp server. This is remote ftp server. Following are the output of commands which you have asked.

Output of 'iptables -L'

>>
>>
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere state NEW tcp dptop3s
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination



..
>>
Output of iptables -t nat -L

>>
>>
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

>>


Yes i have already tried flushing the rules and then re-generate them.


And one more thing i want to add here is that i am not getting this connectivity issue with all remote ftp but with few only.

You say you flushed the firewall and created new IP tables. Why dont you try without any IP tables instead of creating a new set of rules ?
In your FTP client software, enable active mode, by default, its usually in passive mode for most FTP client software.
Further, you may need to see if tcp wrapper (on FTP server) is allowing your IP.

Jazak Allah,
Sohail

[vndpundir2007]

>>You say you flushed the firewall and created new IP tables. Why dont you try without any IP tables instead of creating a new set of >>rules ?

Sohail, it doesn't make any sense to stop firewall [Iptables]. As i have already told you that this server is acting as a gateway/firewall for my network. Additionally how can a client machine can connect with remote ftp without firewall enabled in middle of connection. I am damn sure that my firewall is not blocking this ftp connection.

>>In your FTP client software, enable active mode, by default, its usually >>in passive mode for most FTP client software.

Yes i know this and i have already tried this but no luck so far.

>>Further, you may need to see if tcp wrapper (on FTP server) is allowing >>your IP.


I can connect with this remote ftp server from other public IP's. I have used one of these IP's as a remote gateway on this CentOS6 server, but still no luck.