[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-newbie
Subject: Re: problems with Apache, FTP, SAMBA | Apache solved.
From: Alan Bort <333101 () personal ! net ! py>
Date: 2003-06-21 3:16:49
[Download RAW message or body]
El vie, 20-06-2003 a las 16:46, Ray Olszewski escribió:
> At 03:35 PM 6/20/2003 -0400, Alan Bort wrote:
> >I tried to send this mail as HTML, but the list rejected it... :-(
>
> Actually, this is a :-) .
>
> Many of us find the clutter of html formatting burdensome ... you'll
> encounter a lot of this as you get more familiar with linux ... so you will
> see that many Linux-related lists reject html-formatted mail. And even on
> ones that do not reject it, experienced members (that is, the people who
> *answer* questions) will often complain about it.
I know. In fact I usually complain about the use of HTML.but in this
case it was kind of usefull. You see... I wanted to make some
differences between the quoted and the actual text I wrote. (quoted from
my stdout)
>
> [apache stuff deleted]
> > > >
> > > > > FTP: I can't have access to anyone of the machines
> > > trough
> > > > > FTP. I am
> > > > >having some troubles with the config... what should I configuree
> > > > >again... what are the files that I should edit. When trying to connect
> > > > >it just says conection refused.. nothing else. I'm having troubles with
> > > > >this. I use xinet.d's pro-ftpd.
> > > >
> > > > "Connection Refused" most likely means that nothing is listening on the
> > > ftp
> > > > port. Or it could mean that the particular IP addresses you are
> > > connecting
> > > > from are disallowed. Or, just barely possible, you could have a firewall
> > > > rule in place that blocks access.
> > > But the daemon is running (at least it should) I'll check when I get home.
> > > >
> > > > I surmise that you run ftp the usual way, through inetd (in your case,
> > > > xinetd).
> > > Yes. I do.
> > > >
> > > > Use "netstat -l" to verify that something is listening on port 21.
> > > I'm not at home right now. But I will ASAP.
> >It does not show it. I see the problem now... but how do I solve it???
>
> Unfortunately (for this purpose, anyway), I do not use xinetd here. I use
> inetd, so I cannot tell you how to configure xinetd to listen for incoming
> ftp requests. Possibly someone else here will jump in with the solution If
> not, or while you are waiting, I'd suggest reading over the man page for
> xinetd (and any other docs ... they are usually in /usr/share/doc) to see
> what you missed.
I will. Though it worked before with wu-ftpd... when I changed something
in my server it stopped working... and so I thought of trying proftpd.
>
>
> >Thanks.
> >
> > > >
> > > > Check the xinetd configuration file to make sure it is listening on that
> > > port.
> > > HOW? I have in /etc/xinetd.d/pro-ftpd.conf the line disable=no. That should
> > > be enough... right?
>
> As I said above, I have no idea.
>
> But since nothing is listening on port 21, this is surely your problem. The
> queries about hosts_access and iptables are irrelevant to this problem.
I see. However iptables has port 20 and 21 open. and it sure has other
ports open as well.
>
> > >
> > > >
> > > > Check hosts.allow and hosts.deny to see if they interfere with access.
> > > Nothing wrong there.
> >In fact NOTHING there at all. They are blank.
> >
> > > >
> > > > Check your firewall ruleset (probably with "iptables -nvL", if you run a
> > > > 2.4.x kernel) to see if there are any rules that DENY access.
> > > I tried #service iptables stop and still didn't work.
> >
> >Ok... this is going to be long...
> >
> >here is the output of iptables -nvL
> >
> >[root@ciccio-net /etc]# iptables -nvL
> >Chain INPUT (policy DROP 0 packets, 0 bytes)
> >pkts bytes target prot opt in out source
> >destination
> > 0 0 DROP all -- * * 0.0.0.0/0
> >0.0.0.0/0 state INVALID
> > 4 176 ACCEPT all -- * * 192.168.23.114
> >0.0.0.0/0
> >18034 2264K ACCEPT all -- * * 192.168.23.0/24
> >0.0.0.0/0
> > 0 0 ACCEPT all -- * * 10.129.2.155
> >0.0.0.0/0
> > 3 232 ICMPACCEPT icmp -- eth1 * 0.0.0.0/0
> >0.0.0.0/0
> > 10 600 REJECT tcp -- eth1 * 0.0.0.0/0
> >0.0.0.0/0 tcp dpt:113 reject-with tcp-reset
> > 0 0 TCPACCEPT tcp -- eth1 * 0.0.0.0/0
> >0.0.0.0/0 tcp dpt:22
> > 0 0 TCPACCEPT tcp -- eth1 * 0.0.0.0/0
> >0.0.0.0/0 tcp dpt:25
> > 0 0 TCPACCEPT tcp -- eth1 * 0.0.0.0/0
> >0.0.0.0/0 tcp dpt:53
> > 0 0 ACCEPT udp -- eth1 * 0.0.0.0/0
> >0.0.0.0/0 udp dpt:53
> > 17 4597 TCPACCEPT tcp -- eth1 * 0.0.0.0/0
> >0.0.0.0/0 tcp dpt:80
> > 0 0 TCPACCEPT tcp -- eth1 * 0.0.0.0/0
> >0.0.0.0/0 tcp dpt:443
> > 0 0 TCPACCEPT tcp -- eth1 * 0.0.0.0/0
> >0.0.0.0/0 tcp dpt:110
> >334K 501M ACCEPT all -- eth1 * 0.0.0.0/0
> >0.0.0.0/0 state ESTABLISHED
> > 0 0 TCPACCEPT tcp -- eth1 * 0.0.0.0/0
> >0.0.0.0/0 tcp dpts:1024:65535 state RELATED
> > 0 0 ACCEPT udp -- eth1 * 0.0.0.0/0
> >0.0.0.0/0 udp dpts:1024:65535 state RELATED
> > 0 0 DROP all -- * * 0.0.0.0/0
> >0.0.0.0/0 state INVALID
> > 0 0 ACCEPT all -- * * 192.168.23.114
> >0.0.0.0/0
> > 0 0 ACCEPT all -- * * 192.168.23.0/24
> >0.0.0.0/0
> > 0 0 ACCEPT all -- * * 10.129.2.155
> >0.0.0.0/0
> > 0 0 ICMPACCEPT icmp -- eth1 * 0.0.0.0/0
> >0.0.0.0/0
> > 0 0 REJECT tcp -- eth1 * 0.0.0.0/0
> >0.0.0.0/0 tcp dpt:113 reject-with tcp-reset
> > 0 0 TCPACCEPT tcp -- eth1 * 0.0.0.0/0
> >0.0.0.0/0 tcp dpt:20
> > 0 0 TCPACCEPT tcp -- eth1 * 0.0.0.0/0
> >0.0.0.0/0 tcp dpt:21
> > 0 0 TCPACCEPT tcp -- eth1 * 0.0.0.0/0
> >0.0.0.0/0 tcp dpt:22
> > 0 0 TCPACCEPT tcp -- eth1 * 0.0.0.0/0
> >0.0.0.0/0 tcp dpt:25
> > 0 0 TCPACCEPT tcp -- eth1 * 0.0.0.0/0
> >0.0.0.0/0 tcp dpt:53
> > 0 0 ACCEPT udp -- eth1 * 0.0.0.0/0
> >0.0.0.0/0 udp dpt:53
> > 0 0 TCPACCEPT tcp -- eth1 * 0.0.0.0/0
> >0.0.0.0/0 tcp dpt:80
> > 0 0 TCPACCEPT tcp -- eth1 * 0.0.0.0/0
> >0.0.0.0/0 tcp dpt:443
> > 0 0 TCPACCEPT tcp -- eth1 * 0.0.0.0/0
> >0.0.0.0/0 tcp dpt:110
> > 0 0 ACCEPT all -- eth1 * 0.0.0.0/0
> >0.0.0.0/0 state ESTABLISHED
> > 0 0 TCPACCEPT tcp -- eth1 * 0.0.0.0/0
> >0.0.0.0/0 tcp dpts:1024:65535 state RELATED
> > 0 0 ACCEPT udp -- eth1 * 0.0.0.0/0
> >0.0.0.0/0 udp dpts:1024:65535 state RELATED
> >
> >
> >Chain FORWARD (policy DROP 0 packets, 0 bytes)
> >pkts bytes target prot opt in out source
> >destination
> >86306 36M ACCEPT all -- !eth1 * 0.0.0.0/0
> >0.0.0.0/0
> >73152 20M ACCEPT all -- * * 0.0.0.0/0
> >0.0.0.0/0 state RELATED,ESTABLISHED
> > 0 0 ACCEPT all -- !eth1 * 0.0.0.0/0
> >0.0.0.0/0
> > 0 0 ACCEPT all -- * * 0.0.0.0/0
> >0.0.0.0/0 state RELATED,ESTABLISHED
> >
> >
> >Chain OUTPUT (policy ACCEPT 794155 packets, 49858689 bytes)
> >pkts bytes target prot opt in out source
> >destination
> >
> >
> >Chain ICMPACCEPT (2 references)
> >pkts bytes target prot opt in out source
> >destination
> > 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> >0.0.0.0/0 icmp type 0
> > 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> >0.0.0.0/0 icmp type 3
> > 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> >0.0.0.0/0 icmp type 0
> > 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> >0.0.0.0/0 icmp type 3
> >
> >Chain TCPACCEPT (16 references)
> >pkts bytes target prot opt in out source
> >destination
> > 5 240 ACCEPT tcp -- * * 0.0.0.0/0
> >0.0.0.0/0 tcp flags:0x0216/0x022 limit: avg 5/sec burst 10
> > 12 4357 ACCEPT tcp -- * * 0.0.0.0/0
> >0.0.0.0/0 tcp flags:!0x0216/0x022
> > 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> >0.0.0.0/0 tcp flags:0x0216/0x022 limit: avg 5/sec burst 10
> > 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> >0.0.0.0/0 tcp flags:!0x0216/0x022
> >[root@ciccio-net /etc]#
> >
> >
> >Now: I start that iptables configuration with this script (at boot time)
> >
> >[root@ciccio-net /etc]# cat /root/firewall
> >#!/bin/bash
> >#Comandos para la configuración del FireWall de Data Systems. Version 2
> >echo "## -- Iniciando Script de Firewall -- ##"
> >
> >
> >#Masquerade from internal Net to External net
> >iptables -P FORWARD DROP
> >iptables -A POSTROUTING -t nat -o eth1 -s 192.168.23.0/24 -j SNAT
> >--to-source 192.168.23.103
> >iptables -A FORWARD -i ! eth1 -j ACCEPT
> >iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> >
> >
> >echo " #---Creating Accept Chains---#"
> >iptables -P INPUT DROP
> >
> >
> >#TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in
> >iptables -N TCPACCEPT
> >iptables -A TCPACCEPT -p tcp --syn -m limit --limit 5/s --limit-burst 10
> >-j ACCEPT
> >iptables -A TCPACCEPT -p tcp ! --syn -j ACCEPT
> >
> >
> >#inbound ICMP
> >iptables -N ICMPACCEPT
> >iptables -A ICMPACCEPT -p icmp --icmp-type echo-reply -j ACCEPT
> >iptables -A ICMPACCEPT -p icmp --icmp-type destination-unreachable -j
> >ACCEPT
> >
> >
> >#Kill invalid packets (Not established, related or new)
> >iptables -A INPUT -m state --state INVALID -j DROP
> >
> >
> >#Packets from internal net
> >iptables -A INPUT -s 192.168.23.114 -j ACCEPT
> >iptables -A INPUT -s 192.168.23.0/24 -j ACCEPT
> >
> >
> >echo " #---Packets from EXTERNAL net---#"
> >iptables -A INPUT -s 10.129.2.155 -j ACCEPT
> >
> >
> >#Filter ICMP
> >iptables -A INPUT -i eth1 -p icmp -j ICMPACCEPT
> >
> >
> >#silently reject ident
> >iptables -A INPUT -i eth1 -p tcp --dport 113 -j REJECT --reject-with
> >tcp-reset
> >
> >
> >echo " #---Enabling Public Services---#"
> >#ftp-data
> >iptables -A INPUT -i eth1 -p tcp --dport 20 -j TCPACCEPT
> >
> >
> >#ftp
> >iptables -A INPUT -i eth1 -p tcp --dport 21 -j TCPACCEPT
> >
> >
> >#ssh
> >iptables -A INPUT -i eth1 -p tcp --dport 22 -j TCPACCEPT
> >
> >
> >#telnet
> >#iptables -A INPUT -i eth1 -p tcp --dport 23 -j TCPACCEPT
> >
> >#smtp
> >iptables -A INPUT -i eth1 -p tcp --dport 25 -j TCPACCEPT
> >
> >#DNS
> >iptables -A INPUT -i eth1 -p tcp --dport 53 -j TCPACCEPT
> >iptables -A INPUT -i eth1 -p udp --dport 53 -j ACCEPT
> >
> >#HTTP
> >iptables -A INPUT -i eth1 -p tcp --dport 80 -j TCPACCEPT
> >
> >#HTTPS
> >iptables -A INPUT -i eth1 -p tcp --dport 443 -j TCPACCEPT
> >
> >#POP3
> >iptables -A INPUT -i eth1 -p tcp --dport 110 -j TCPACCEPT
> >
> >echo " #---Allowing established, related connections in---#"
> >
> >iptables -A INPUT -i eth1 -m state --state ESTABLISHED -j ACCEPT
> >iptables -A INPUT -i eth1 -p tcp --dport 1024:65535 -m state --state
> >RELATED -j TCPACCEPT
> >iptables -A INPUT -i eth1 -p udp --dport 1024:65535 -m state --state
> >RELATED -j ACCEPT
> >echo "## -- Script Loaded -- ##"
> >exit
> >[root@ciccio-net /etc]#
> >
> >I've tested this configuration befor many times and never had any
> >problems with ftp.
>
> Do you mean you have run other ftp *servers* with this ruleset in place, or
> that you have run ftp clients successfully? They are quite different problems.
I used to use wu-ftpd... but when I changed something (don't know
exactly what) it stopped working. After two hours of troubleshooting it
I decieded to change it for a newr version of pro-ftpd (I have
succesfully tried pro-ftpd on my mandrake)
>
> >What else should I post?.
>
> I don't think you ever told us the basics: what Linux distro and version,
> what kernel ("uname -a"). Routing does not seem relevant to your immediate
> problems, but whenever networking it involved, it pays to include the
> routing table and an explanation of the basic networking setup (see below
> for more on this). And since your initial message did mention Linux hosts
> "A" and "B", it would help at least to know *which* host we are now talking
> about ... as I say below, I *think* it is "B" from before.
A: Mandrake 9.1 Linux version 2.4.21-0.13mdk
(flepied@bi.mandrakesoft.com) (gcc version 3.2.2 (Mandrake Linux 9.1
3.2.2-3mdk)) #1 Fri Mar 14 15:08:06 EST 2003.
B: RedHat Linux 7.0 for alphaserver Linux version 2.4.3-12
(root@george.devel.redhat.com) (gcc version 2.96 20000731 (Red Hat Linux
7.1 2.96-85)) #1 Fri Jun 8 13:20:17 EDT 2001
C: Windows XP professional edition. with all security updates.
Here is my network setup:
B: this is the router. The ip of the local network is 192.168.23.114
(my network is 192.168.23.xxx). The access to the internet is
10.200.1.236.
A: this is the host that I want to have access to the server through
ftp with. It's IP is 192.168.23.2
C: Windows Client. nothing really important about this machine...
except that it's IP is 192.168.23.103 and that I have a VNCserver (which
will be part of my next question to the list).
ALL the info I provided (iptables setup, ifconfig -a, etc) is from B,
the router.
>
> >Iptables version: iptables v1.2.1a
> >proFTPD version: proftpd-1.2.9rc1
> >
> >Anything else?
> >
> >Oh, ifconfig -a:
> >
> >[root@ciccio-net /root]# ifconfig -a
> >eth0 Link encap:Ethernet HWaddr 00:00:F8:23:5A:62
> > inet addr:192.168.23.114 Bcast:192.168.23.255
> >Mask:255.255.255.0
> > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > RX packets:444047 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:387507 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:4693 txqueuelen:100
> > RX bytes:165587659 (157.9 Mb) TX bytes:149730653 (142.7 Mb)
> > Interrupt:15 Base address:0x8400
> >
> >
> >eth1 Link encap:Ethernet HWaddr 08:00:2B:C3:C1:0E
> > inet addr:10.200.1.236 Bcast:10.200.1.239
> >Mask:255.255.255.240
> > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > RX packets:1239679 errors:1 dropped:0 overruns:0 frame:1
> > TX packets:1113085 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:409 txqueuelen:100
> > RX bytes:1495321451 (1426.0 Mb) TX bytes:194423028 (185.4 Mb)
> > Interrupt:10 Base address:0x8480
> >
> >
> >lo Link encap:Local Loopback
> > inet addr:127.0.0.1 Mask:255.0.0.0
> > UP LOOPBACK RUNNING MTU:16436 Metric:1
> > RX packets:24 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:0
> > RX bytes:1571 (1.5 Kb) TX bytes:1571 (1.5 Kb)
>
> Hmmm ... since this machine has 2 NICs, I assume it is "B" from your prior
> message (the one that "A" uses to access the Internet). Since both
> interfaces use private (RFC1918 non-routable) IP addresses, it would help
> to know which is your external, which your internal interface.I could infer
> this from your routing table ("netstat -nr" is one way to list it), but you
> didn't include that.
eth0 is internal, eth1 is external. I know they are both private... but
I have the eth1 nated (my ISP did that) and I'm used to use the public
IP (216.118.237.252)
>
> For purposes of troubleshooting ftp on "B", this next part is irrelevant
> ... but I don't quite see how "A" is accessing the Internet through "B".
> That is, I do not understand your NAT'ing setup, probably because I do not
> know what the address "192.168.23.103" in your SNAT rule refers to.
x.x.x.103 is the Windows client... it shouldn't interfer with anything
here. The iptables configuration was made by a friend. I just copied and
edited it a little. And the NATing was done by my ISP's technician.
Anyway. 192.168.23. is the local network (my home's) and 10.200. is the
ISP's network... All I do in route everything. they do the rest...
>
> >netstat -l outputs this:
> >
> >[root@ciccio-net /root]# netstat -l
> >Active Internet connections (only servers)
> >Proto Recv-Q Send-Q Local Address Foreign Address
> >State
> >tcp 0 0 *:sunrpc *:*
> >LISTEN
> >tcp 0 0 *:http *:*
> >LISTEN
> >tcp 0 0 *:32789 *:*
> >LISTEN
> >tcp 0 0 *:32790 *:*
> >LISTEN
> >tcp 0 0 *:ssh *:*
> >LISTEN
> >tcp 0 0 *:32791 *:*
> >LISTEN
> >tcp 0 0 *:6010 *:*
> >LISTEN
> >udp 0 0 *:talk *:*
> >udp 0 0 *:sunrpc *:*
> >Active UNIX domain sockets (only servers)
> >Proto RefCnt Flags Type State I-Node Path
> >unix 2 [ ACC ] STREAM LISTENING 978 /dev/gpmctl
> >
> >
> >Samba is not realy that important. In fact smaba is not important at
> >all. as long as I have FTP working.
>
> Note from the above that nothing is listening on the SMB ports either. But
> since you say Samba is, now, "not realy that important", I won't go into that.
If IPTABLES opende the port. the problem would be in my xinetd config
right? then I could correct it by reading the manual. Thanks.
>
>
> >I hope the information was better this time... I repeat... I'm noob
> >here... and I've never had any problems with ftp servers before.
>
> In what contexts have you previously run ftp servers? Any that ran through
> inetd or xinetd?
Correction!! this server seems to be standalone... I'm reading through
the documentation again... but aparently at install time I made it
standalone. So xinetd shouldn't have much to do here. I will try to
install it with xinetd and then make sure the configuration is
correct... I'm messed up here... I will try to organize a little better.
thanks a lot.
PS: please, SNIP out whatever you think is irrelevant for this
message... it's getting quiet long. (I'm not sure what you could still
need since I added information). Thanks a lot.
--
Alan Bort
Linux Registered User 298277 -Country Manager- [http://counter.li.org]
[ http://www.linuxquestions.org ] Username: Ciccio
[ http://es.tldp.org ]
Ciccio.-
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic