Find the answer to your Linux question:
Results 1 to 5 of 5
Hello, I have installed Centos 6 on my server which is acting as a Proxy Server and Firewall for my network. Everything is running smooth and fine. But i am ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2009
    Posts
    48

    Arrow FTP Issue behind Centos 6 Firewall


    Hello,

    I have installed Centos 6 on my server which is acting as a Proxy Server and Firewall for my network. Everything is running smooth and fine. But i am getting a very weird issue now. The issue is:

    When i connect with a remote ftp server from a client machine which is behind this Centos 6 firewall, i successfully connect with the ftp. But when i am trying to download or view/edit a file, ftp stuck in middle of the process. In first sight, it seems like remote ftp server is mis-configured. But when i connect with this remote ftp with public ip, i am successfully downloading and view/edit the files. So now it means there is something wrong with the Centos6 server which is acting as a firewall in middle of the ftp connection from client to server. Both Incoming and Outgoing connection for ftp is allowed on firewall [using iptables] and squid proxy is already configured with allow ftp acl.
    I dont know what is wrong with the Centos 6 server. This problem has occurred many time before and it automatically resolved and few times when i entered below commands it started working:

    modprobe ip_nat_ftp
    modprobe ip_conntrack_ftp

    But now these commands are not able to resolve my issue.

    Please help. If you need some other information, you can ask me.


    Thanks..

  2. #2
    Just Joined! msohail's Avatar
    Join Date
    Nov 2011
    Posts
    47
    Quote Originally Posted by vndpundir2007 View Post
    Hello,

    I have installed Centos 6 on my server which is acting as a Proxy Server and Firewall for my network. Everything is running smooth and fine. But i am getting a very weird issue now. The issue is:

    When i connect with a remote ftp server from a client machine which is behind this Centos 6 firewall, i successfully connect with the ftp. But when i am trying to download or view/edit a file, ftp stuck in middle of the process. In first sight, it seems like remote ftp server is mis-configured. But when i connect with this remote ftp with public ip, i am successfully downloading and view/edit the files. So now it means there is something wrong with the Centos6 server which is acting as a firewall in middle of the ftp connection from client to server. Both Incoming and Outgoing connection for ftp is allowed on firewall [using iptables] and squid proxy is already configured with allow ftp acl.
    I dont know what is wrong with the Centos 6 server. This problem has occurred many time before and it automatically resolved and few times when i entered below commands it started working:

    modprobe ip_nat_ftp
    modprobe ip_conntrack_ftp

    But now these commands are not able to resolve my issue.

    Please help. If you need some other information, you can ask me.


    Thanks..

    Can you please post your FTP configuration and IP tables rules (iptables -L and iptables -t nat -L) ?

    Did you try to edit files after flushing the firewall (iptables -F) ?

    Jazak Allah,
    Sohail

  3. #3
    Just Joined!
    Join Date
    Dec 2009
    Posts
    48
    Quote Originally Posted by msohail View Post
    Can you please post your FTP configuration and IP tables rules (iptables -L and iptables -t nat -L) ?

    Did you try to edit files after flushing the firewall (iptables -F) ?

    Jazak Allah,
    Sohail
    Thanks for reply. Sohail i have not configured any ftp server. This is remote ftp server. Following are the output of commands which you have asked.

    Output of 'iptables -L'

    >>
    >>
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT icmp -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
    ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imaps
    ACCEPT tcp -- anywhere anywhere state NEW tcp dptop3s
    REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT icmp -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination



    ..
    >>
    Output of iptables -t nat -L

    >>
    >>
    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination
    MASQUERADE all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    >>


    Yes i have already tried flushing the rules and then re-generate them.


    And one more thing i want to add here is that i am not getting this connectivity issue with all remote ftp but with few only.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined! msohail's Avatar
    Join Date
    Nov 2011
    Posts
    47
    Quote Originally Posted by vndpundir2007 View Post
    Thanks for reply. Sohail i have not configured any ftp server. This is remote ftp server. Following are the output of commands which you have asked.

    Output of 'iptables -L'

    >>
    >>
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT icmp -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
    ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imaps
    ACCEPT tcp -- anywhere anywhere state NEW tcp dptop3s
    REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT icmp -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination



    ..
    >>
    Output of iptables -t nat -L

    >>
    >>
    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination
    MASQUERADE all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    >>


    Yes i have already tried flushing the rules and then re-generate them.


    And one more thing i want to add here is that i am not getting this connectivity issue with all remote ftp but with few only.

    You say you flushed the firewall and created new IP tables. Why dont you try without any IP tables instead of creating a new set of rules ?
    In your FTP client software, enable active mode, by default, its usually in passive mode for most FTP client software.
    Further, you may need to see if tcp wrapper (on FTP server) is allowing your IP.

    Jazak Allah,
    Sohail

  6. #5
    Just Joined!
    Join Date
    Dec 2009
    Posts
    48
    >>You say you flushed the firewall and created new IP tables. Why dont you try without any IP tables instead of creating a new set of >>rules ?

    Sohail, it doesn't make any sense to stop firewall [Iptables]. As i have already told you that this server is acting as a gateway/firewall for my network. Additionally how can a client machine can connect with remote ftp without firewall enabled in middle of connection. I am damn sure that my firewall is not blocking this ftp connection.

    >>In your FTP client software, enable active mode, by default, its usually >>in passive mode for most FTP client software.

    Yes i know this and i have already tried this but no luck so far.

    >>Further, you may need to see if tcp wrapper (on FTP server) is allowing >>your IP.


    I can connect with this remote ftp server from other public IP's. I have used one of these IP's as a remote gateway on this CentOS6 server, but still no luck.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •