|
Home > Archive > Red Hat Topics > November 2004 > I really need to FTP Between my RH9 and Fedora 2 boxes.
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
I really need to FTP Between my RH9 and Fedora 2 boxes.
|
|
| Mark Healey 2004-11-13, 2:45 am |
| I'm reposting the original message hoping to get a response this time.
All I want to do is ftp between a RH9 machine (the server) and a
Fedora 2 machine (the client).
I'm pretty sure it is a firewall problem with the client machine and
the way ftp uses random port numbers.
------Original post-------
I've been trying to ftp between a fedora box and a RH9 box. The RH9
box is running the default ftpd and I'm using the default console ftp
client on the fedora box.
I can login fine but when I try to "ls" I get:
227 Entering Passive Mode (*.*.*.*.208.243)
ftp: connect: Connection refused
the asterisks are the IP address of the server.
On both machines I have the ftp box checked in the graphical security
settings app.
When I boot the client machine into OS/2 and use the default text mode
client that it has I have no problem, so it's obviously a client
problem.
I've posted this problem twice before and not gotten a working
solution. Please help.
-------end original post-----------
Now it is the third time. If no one on this group knows how to fix
the problem please tell me of a group that is read by people who do.
--
Mark Heaely
marknews(at)healeyonline(dot)com
| |
| Ivan Marsh 2004-11-15, 5:45 pm |
| On Sat, 13 Nov 2004 05:09:49 +0000, Mark Healey wrote:
> I'm reposting the original message hoping to get a response this time.
>
> All I want to do is ftp between a RH9 machine (the server) and a Fedora 2
> machine (the client).
>
> I'm pretty sure it is a firewall problem with the client machine and the
> way ftp uses random port numbers.
Have you tried confirming that by turning off the firewall?
--
"No oppression is so heavy or lasting as that which is inflicted by
the perversion and exorbitance of legal authority."
i.m.
| |
| Mark Healey 2004-11-20, 5:45 pm |
| On Mon, 15 Nov 2004 19:57:40 UTC, "Ivan Marsh" <annoyed@you.now>
wrote:
> On Sat, 13 Nov 2004 05:09:49 +0000, Mark Healey wrote:
>
>
> Have you tried confirming that by turning off the firewall?
I turn it off on the Fedora (client) box and it works in active mode
but not passive?
--
Mark Healey
marknews(at)healeyonline(dot)com
| |
| Ivan Marsh 2004-11-22, 5:45 pm |
| On Sat, 20 Nov 2004 16:36:06 +0000, Mark Healey wrote:
> On Mon, 15 Nov 2004 19:57:40 UTC, "Ivan Marsh" <annoyed@you.now> wrote:
>
>
> I turn it off on the Fedora (client) box and it works in active mode but
> not passive?
Do you need it to work in passive mode?
Adjust as needed:
$INTERNET="eth0"
$UNPRIVPORTS="1024:65535"
$CLASS_C="192.168.0.0/16"
########################################
########################################
# FTP TRAFFIC
########################################
########################################
echo 'Allowing outgoing FTP requests.'
# Outgoing control connection to port 21
iptables -A OUTPUT -o $INTERNET -p tcp --sport $UNPRIVPORTS --dport 21 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn --sport 21 --dport $UNPRIVPORTS -j ACCEPT
# Incoming port mode data channel connection from port 20
iptables -A INPUT -i $INTERNET -p tcp --sport 20 --dport $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn --sport $UNPRIVPORTS --dport 20 -j ACCEPT
# Outgoing passive mode data channel connection between unprivleged ports
iptables -A OUTPUT -o $INTERNET -p tcp --sport $UNPRIVPORTS --dport $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn --sport $UNPRIVPORTS --dport $UNPRIVPORTS -j ACCEPT
echo 'Allowing incoming FTP requests.'
# Incoming control connection to port 21
iptables -A INPUT -i $INTERNET -p tcp -s $CLASS_C --sport $UNPRIVPORTS --dport 21 -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn --sport 21 -d $CLASS_C --dport $UNPRIVPORTS -j ACCEPT
# Outgoing port mode data channel connection to port 20
iptables -A OUTPUT -o $INTERNET -p tcp --sport 20 -d $CLASS_C --dport $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn -s $CLASS_C --sport $UNPRIVPORTS --dport 20 -j ACCEPT
# Incoming passive mode data channel connection between unprivleged ports
iptables -A INPUT -i $INTERNET -p tcp -s $CLASS_C --sport $UNPRIVPORTS --dport $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn --sport $UNPRIVPORTS -d $CLASS_C --dport $UNPRIVPORTS -j ACCEPT
--
"No oppression is so heavy or lasting as that which is inflicted by
the perversion and exorbitance of legal authority."
i.m.
| |
| Mark Healey 2004-11-23, 2:45 am |
| On Mon, 22 Nov 2004 17:12:39 UTC, "Ivan Marsh" <annoyed@you.now>
wrote:
> On Sat, 20 Nov 2004 16:36:06 +0000, Mark Healey wrote:
>
>
> Do you need it to work in passive mode?
>
> Adjust as needed:
>
> $INTERNET="eth0"
> $UNPRIVPORTS="1024:65535"
> $CLASS_C="192.168.0.0/16"
>
> ########################################
########################################
> # FTP TRAFFIC
> ########################################
########################################
> echo 'Allowing outgoing FTP requests.'
>
> # Outgoing control connection to port 21
> iptables -A OUTPUT -o $INTERNET -p tcp --sport $UNPRIVPORTS --dport 21 -j ACCEPT
> iptables -A INPUT -i $INTERNET -p tcp ! --syn --sport 21 --dport $UNPRIVPORTS -j ACCEPT
>
> # Incoming port mode data channel connection from port 20
> iptables -A INPUT -i $INTERNET -p tcp --sport 20 --dport $UNPRIVPORTS -j ACCEPT
> iptables -A OUTPUT -o $INTERNET -p tcp ! --syn --sport $UNPRIVPORTS --dport 20 -j ACCEPT
>
> # Outgoing passive mode data channel connection between unprivleged ports
> iptables -A OUTPUT -o $INTERNET -p tcp --sport $UNPRIVPORTS --dport $UNPRIVPORTS -j ACCEPT
> iptables -A INPUT -i $INTERNET -p tcp ! --syn --sport $UNPRIVPORTS --dport $UNPRIVPORTS -j ACCEPT
>
> echo 'Allowing incoming FTP requests.'
>
> # Incoming control connection to port 21
> iptables -A INPUT -i $INTERNET -p tcp -s $CLASS_C --sport $UNPRIVPORTS --dport 21 -j ACCEPT
> iptables -A OUTPUT -o $INTERNET -p tcp ! --syn --sport 21 -d $CLASS_C --dport $UNPRIVPORTS -j ACCEPT
>
> # Outgoing port mode data channel connection to port 20
> iptables -A OUTPUT -o $INTERNET -p tcp --sport 20 -d $CLASS_C --dport $UNPRIVPORTS -j ACCEPT
> iptables -A INPUT -i $INTERNET -p tcp ! --syn -s $CLASS_C --sport $UNPRIVPORTS --dport 20 -j ACCEPT
>
> # Incoming passive mode data channel connection between unprivleged ports
> iptables -A INPUT -i $INTERNET -p tcp -s $CLASS_C --sport $UNPRIVPORTS --dport $UNPRIVPORTS -j ACCEPT
> iptables -A OUTPUT -o $INTERNET -p tcp ! --syn --sport $UNPRIVPORTS -d $CLASS_C --dport $UNPRIVPORTS -j ACCEPT
I'm guessing that I add these lines to /etc/sysconfig/iptables?
Are the:
> $INTERNET="eth0"
> $UNPRIVPORTS="1024:65535"
> $CLASS_C="192.168.0.0/16"
lines some kind of variable definitions?
--
Mark Healey
marknews(at)healeyonline(dot)com
| |
| Ivan Marsh 2004-11-23, 5:45 pm |
| On Tue, 23 Nov 2004 06:54:23 +0000, Mark Healey wrote:
> On Mon, 22 Nov 2004 17:12:39 UTC, "Ivan Marsh" <annoyed@you.now> wrote:
>
> I'm guessing that I add these lines to /etc/sysconfig/iptables?
No. That's part of a bash script. You can make it executeable and run it.
Then run "service iptables save".
> Are the:
>
>
> lines some kind of variable definitions?
Yes.
--
"No oppression is so heavy or lasting as that which is inflicted by
the perversion and exorbitance of legal authority."
i.m.
| |
| Mark Healey 2004-11-27, 7:45 am |
| On Tue, 23 Nov 2004 17:49:29 UTC, "Ivan Marsh" <annoyed@you.now>
wrote:
[vbcol=seagreen]
> On Tue, 23 Nov 2004 06:54:23 +0000, Mark Healey wrote:
>
I just got lazy. I figured out enough of the rules descriptions to
modifile /etc/sysconfig/iptables to allow any traffic from machines I
trust.
--
Mark Healey
marknews(at)healeyonline(dot)com
|
|
|
|
|