cant access ftp from behind router 1

[Grub3r]

Hello,

I'm on a machine behind firewalled fc5 router and I cannot access ftp sites in outside world. No matter what site I try I only get this error message on both active and passive mode:

425 Unable to build data connection: No route to host

I can easy access ftp sites from my router but not the machines on the LAN, what could be the problem?

many thanks in advance.

-Dan

 

[QatQat]

iptables?
if you can browse FTP sites from your FC5 router your problem sounds like a FORWARD problem; try running the following on your FC5 router


assuming that your network is set on a standard class C address (192.168.1....., 255.255.255.0)

iptables -A FORWARD -i your_external_interface -p tcp --dport 21 -s 0/0 -d 192.168.1.0/24 -o your_internal_interface -j ACCEPT

This rule will accept all connections on port 21 from everywhere, directed to your class C network.


Cheers

QatQat

Life is what happens when you are making other plans.

 

[Grub3r]

Hello again and thanks for the fast reply,

I tried the workaround but it did not help much. I'm still getting the same error message.

I've also opened for udp on port 21 and both udp and tcp on port 20. it did not help either.

It must be something with forwarding to the LAN as you mentioned.

Any other help would be much appreciated.

-Dan

 

[Grub3r]

I've also found out that I can access ftp.suse.com from LAN in passive mode. Any other sites I've tried didn't connect and returned the error message.


Any ideas? Would print of iptables help you?


-Dan

 

[Kozusnik]

Is your network schema 192.168.x.x? If not, replace it with the network you use. i.e. 172.17.5.0 or 121.3.0.0.

I would still open ports 20 and 21. I've found that ftp-data is used quite a bit.

As far as suse.com, I'm thinking maybe there's an explicit line allowing that ip???

Also, how is your client configured? Is it trying to use this router as the proxy? Someone correct me if I'm wrong, but bring up a shell and type...
$ ftp_proxy 192.168.1.5 - the ip of the router
$ export ftp_proxy

Mark

 

[Grub3r]

Hello Mark, the router has 2 ips, one is assign from ADSL-modem and the second goes to the LAN. The ADSL gives 10.0.x.x and LAN schema is as you said 192.168.x.x.

I've opened for 20 and 21 on both udp and tcp.

About proxy, what does all of this have to do with router as proxy? I don't understand.

I thinks is that the router is not allowing to pass ftp traffic on these ports or maybe when the packet leaves the ADSL modem it still has the LAN ip because when I connect to any ftp servers on the net, the login process on the server shows my ip as LAN ip. I've enabled the masquerading but maybe I did it wrong.

[R] 230 Anonymous access granted, restrictions apply.
[R] SYST
[R] 215 UNIX Type: L8
[R] FEAT
[R] 211-Features:
[R]  MDTM
[R]  REST STREAM
[R]  SIZE
[R] 211 End
[R] CWD /
[R] 250 CWD command successful.
[R] PWD
[R] 257 "/" is current directory.
[R] TYPE A
[R] 200 Type set to A
[R] [red]PORT 192,168,x,x,5,184[/red]
[R] 200 PORT command successful
[R] LIST -al
[R] 425 Unable to build data connection: No route to host
[R] List Error

Why does the http work fine but not the ftp. is there any possibility that iptables blocks the ftp traffic and overrides the rules I've put in?

What could be wrong?


Regards
Dan

 

[John Lewis]

It is fairly common to force active FTP. It is possible that ftp.suse.com is allowing a passive connection, while the others you have tried in passive mode are actually forcing active mode.

This, combined with the "no route to host" message you are recieving would indicate that NAT is not handling your active FTP connections properly. Try adding a line "insmod ip_nat_ftp" somewhere before your first rule in your rule script. This module should load automatically if NAT is working otherwise, but there have been some timing issues. Forcing it to load early should fix that issue.

 

[Grub3r]

Hello again and thanks for the info,

I'm not running any scripts only traditional iptables service.

How could I insert it there? Should I make a script that starts at startup or something? How do I proceed in that case?


Regards
Dan

 

[Grub3r]

Tested:

"insmod ip_nat_ftp" didn't work,

error:
insmod: can't read 'ip_nat_ftp': No such file or directory


I've run the command:

"modprobe ip_nat_ftp" and it worked,

my question: What did I just do? How it affects the iptables and how can I load the module at startup?

Many questions, but I would really like to understand the issue and the solution.


Many thanks in advance.
Dan

 

[John Lewis]

There has to be a script to load firewall rules somewhere. You may edit your rules with some kind of gui interface, but this interface would simply modify the script. How do you manage your firewall?

For testing, you could simply type 'insmod ip_conntrack_ftp' at the command line, then try your FTP connection. If this works, be aware that the fix will not survive a reboot until you get it scripted somewhere.

 

[John Lewis]

Oops! I replace the ip_conntrack_ftp with ip_nat_ftp in my last post. Also, modprobe is probably better from the command line, does the same thing as insmod but will also load any modules that the module you are loading depends on. Also, we probably needed a full path to the module with insmod.

Evidently, you already got there, so that is well. The ip_nat_ftp module allows for tracking the ports in use for an active FTP session and mark the appropriate traffic as related to the control connection. You probably already have a firewall rule to allow related traffic through, so this takes care of things by itself.

The command should be loaded by script. The best place is within the script that loads iptables and rules, which will vary from system to system.

 

[Grub3r]

Hello again and thanks for some valuable info,

I use iptables at promt to manage the firewall.

after some searching, I found that modules reside at:
"/etc/module/"

the script for firewall is called "iptables-config" and is located at:
"/etc/sysconfig/"

any added here will run right after the firewall rules have applied.


I added the ip_nat_ftp to the "iptables-config" and restartet firewall, checked the ftp and confirmed that the script has ran the module.

thanks for the help everybody.
Regards Dan