On 7 Sep 2016 at 16:32, Mike Wright wrote:
Subject: Re: Issue with ftp making connection but not list?
To: Community support for Fedora users
<users(a)lists.fedoraproject.org>
From: Mike Wright <nobody(a)nospam.hostisimo.com>
Date sent: Wed, 7 Sep 2016 16:32:05 -0700
Send reply to: Community support for Fedora users
<users(a)lists.fedoraproject.org>
On 09/07/2016 03:55 PM, Michael D. Setzer II wrote:
> On 7 Sep 2016 at 13:50, Fred Smith wrote:
>
> Date sent: Wed, 7 Sep 2016 13:50:21 -0400
> From: Fred Smith <fredex(a)fcshome.stoneham.ma.us>
> To: users(a)lists.fedoraproject.org
> Subject: Re: Issue with ftp making connection but not list?
> Send reply to: Community support for Fedora users
> <users(a)lists.fedoraproject.org>
>
>> On Thu, Sep 08, 2016 at 03:17:32AM +1000, Michael D. Setzer II wrote:
>>> Everything was working till just the other day? I've done more
testing,
>>> and it has something to do with firewalld and iptables.
>>>
>>> I found that if I traceroute to machines not running fedora 24 it
>>> complete, but with fedora 24 machine I am getting !X
>>>
>>> I stopped firewalld and iptables on machine d7t and then I can complete
>>> a traceroute and ftp to the machine.
>>
>> while I'm surely not an expert, I think that at this time I would open
>> up the firewall applet on the remote systems and make sure that both
>> ports necessary for ftp are in fact open. According to /etc/services,
>> that would be ports 20 and 21, for both tcp and udp.
>>
>> ftp-data 20/tcp
>> ftp-data 20/udp
>> # 21 is registered to ftp, but also used by fsp
>> ftp 21/tcp
>> ftp 21/udp fsp fspd
>>
>
> Did check /etc/services and the ports are listed.
> The firewall-config has the ftp service check, but had also tried adding the
> ports 20-21 as ports to open. Not sure how that would effect the traceroute
> anyway, but only currently shuting down firewalld and iptables seems to get
> the process to work correctly. Specific machines are in my classroom, and
> are connected to the same switch.
>
>
>
>>>
>>> traceroute to 192.168.7.220 (192.168.7.220), 30 hops max, 60 byte
>>> packets
>>>
>>> 1
d7t.guamcc.net (192.168.7.220) 0.122 ms 0.091 ms 0.080 ms
>>>
>>> traceroute to 192.168.7.218 (192.168.7.218), 30 hops max, 60 byte
>>> packets
>>>
>>> 1
d7r.guamcc.net (192.168.7.218) 0.199 ms !X 0.154 ms !X 0.141 ms
>>> !X
>>>
>>> Also have 3 old ubuntu machine, and traceroute to them with no problem
>>> with the !X.
>>>
>>> Did not with the firewald status I am seeing this.
>>>
>>> · firewalld.service - firewalld - dynamic firewall daemon
>>>
>>> Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled;
>>> vendor preset: enabled)
>>>
>>> Active: active (running) since Thu 2016-09-08 02:53:53 ChST; 41s ago
>>>
>>> Docs: man:firewalld(1)
>>>
>>> Main PID: 11258 (firewalld)
>>>
>>> Tasks: 3 (limit: 512)
>>>
>>> CGroup: /system.slice/firewalld.service
>>>
>>> └─11258 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork
>>> --nopid
>>>
>>> Sep 08 02:53:54
d7t.guamcc.net /firewalld[11258]: WARNING:
>>> COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete
FORWARD
>>> --destination 192.168.122.0/24 --out-interface virbr0 --match conntrack
>>> --ctstate ESTABLISHED,RELATED --jump ACCEPT' failed:
>>>
>>> Sep 08 02:53:54
d7t.guamcc.net /firewalld[11258]: WARNING:
>>> COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete
FORWARD
>>> --source 192.168.122.0/24 --in-interface virbr0 --jump ACCEPT'
failed:
>>>
>>> Sep 08 02:53:54
d7t.guamcc.net /firewalld[11258]: WARNING:
>>> COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete
FORWARD
>>> --in-interface virbr0 --out-interface virbr0 --jump ACCEPT' failed:
>>>
>>> Sep 08 02:53:54
d7t.guamcc.net /firewalld[11258]: WARNING:
>>> COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete
FORWARD
>>> --out-interface virbr0 --jump REJECT' failed:
>>>
>>> Sep 08 02:53:54
d7t.guamcc.net /firewalld[11258]: WARNING:
>>> COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete
FORWARD
>>> --in-interface virbr0 --jump REJECT' failed:
>>>
>>> Sep 08 02:53:54
d7t.guamcc.net /firewalld[11258]: WARNING:
>>> COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT
>>> --in-interface virbr0 --protocol udp --destination-port 53 --jump
>>> ACCEPT' failed:
>>>
>>> Sep 08 02:53:54
d7t.guamcc.net /firewalld[11258]: WARNING:
>>> COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT
>>> --in-interface virbr0 --protocol tcp --destination-port 53 --jump
>>> ACCEPT' failed:
>>>
>>> Sep 08 02:53:54
d7t.guamcc.net /firewalld[11258]: WARNING:
>>> COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete
OUTPUT
>>> --out-interface virbr0 --protocol udp --destination-port 68 --jump
>>> ACCEPT' failed:
>>>
>>> Sep 08 02:53:54
d7t.guamcc.net /firewalld[11258]: WARNING:
>>> COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT
>>> --in-interface virbr0 --protocol udp --destination-port 67 --jump
>>> ACCEPT' failed:
>>>
>>> Sep 08 02:53:54
d7t.guamcc.net /firewalld[11258]: WARNING:
>>> COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT
>>> --in-interface virbr0 --protocol tcp --destination-port 67 --jump
>>> ACCEPT' failed:
I don't use firewalld but I do speak iptables so I'll try to help if I can.
All of the "COMMAND_FAILED" errors are from something trying to delete
rules from the firewall, rules that apparently don't exist.
As root, on d7t, would you please post the results of iptables-save?
Using machine d7q and d7r. Started the vsftp on d7r, and works if on d7r I
disable the firewalld service, but not if it is running?
With the Firewalld stopped on d7r (192.168.7.218)
[msetzerii@d7q ~]$ ncftpls ftp://192.168.7.218
pub/
With the Firewalld started on d7r (192.168.7.218)
[msetzerii@d7q ~]$ ncftpls ftp://192.168.7.218
connect failed: No route to host.
connect failed: No route to host.
connect failed: No route to host.
Falling back to PORT instead of PASV mode.
[msetzerii@d7q ~]$
iptables-save output of d7r
# Generated by iptables-save v1.4.21 on Thu Sep 8 10:12:45 2016
*mangle
:PREROUTING ACCEPT [134:8757]
:INPUT ACCEPT [134:8757]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [90:16750]
:POSTROUTING ACCEPT [90:16750]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM
--checksum-fill
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i enp2s0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Sep 8 10:12:45 2016
# Generated by iptables-save v1.4.21 on Thu Sep 8 10:12:45 2016
*raw
:PREROUTING ACCEPT [134:8757]
:OUTPUT ACCEPT [90:16750]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Sep 8 10:12:45 2016
# Generated by iptables-save v1.4.21 on Thu Sep 8 10:12:45 2016
*nat
:PREROUTING ACCEPT [7:384]
:INPUT ACCEPT [2:148]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j
MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j
MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j
MASQUERADE
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o enp2s0 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i enp2s0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Sep 8 10:12:45 2016
# Generated by iptables-save v1.4.21 on Thu Sep 8 10:12:45 2016
*security
:INPUT ACCEPT [129:8521]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [90:16750]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Sep 8 10:12:45 2016
# Generated by iptables-save v1.4.21 on Thu Sep 8 10:12:45 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [90:16750]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i enp2s0 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o enp2s0 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i enp2s0 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m
conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 5900:5979 -m conntrack --ctstate
NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 9000:9001 -m conntrack --ctstate
NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 5979 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_public_allow -p udp -m udp --dport 9000:9001 -m conntrack --ctstate
NEW -j ACCEPT
COMMIT
# Completed on Thu Sep 8 10:12:45 2016
>>> Again, it was working 2 days ago, so I am thinking
that a recent update
>>> has done something??
>>>
>>> Not sure why the !X is occurring. These machines are on the same
>>> 192.168.7.x network?
!X is traceroute's way of saying "communication administratively
prohibited". Looks like there is a rule saying something like -j REJECT
--reject-with icmp-{net,host,admin}-prohibited somewhere in the firewall
ruleset. We can find it in the above requested iptables-save data.
--
users mailing list
users(a)lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct:
http://fedoraproject.org/code-of-conduct
Guidelines:
http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away:
http://ask.fedoraproject.org
+----------------------------------------------------------+
Michael D. Setzer II - Computer Science Instructor
Guam Community College Computer Center
mailto:mikes@kuentos.guam.net
mailto:msetzerii@gmail.com
Guam - Where America's Day Begins
G4L Disk Imaging Project maintainer
http://sourceforge.net/projects/g4l/
+----------------------------------------------------------+
http://setiathome.berkeley.edu (Original)
Number of Seti Units Returned: 19,471
Processing time: 32 years, 290 days, 12 hours, 58 minutes
(Total Hours: 287,489)
BOINC@HOME CREDITS
ABC 16613838.513356 | EINSTEIN 111619174.788695
ROSETTA 48018352.619787 | SETI 91341742.472919