ftp: no route to host

17 posts / 0 new
Last post
#1 Tue, 07/28/2009 - 15:10
duncanbbd

ftp: no route to host

I am setting up a server at home (started ages ago, but too busy to get finished :o) )

and trying to get files from my real server by FTP. both servers have same version as listed below. looking on the web it seems like a firewall problem.

rules show ftp and ftp-data ports as enabled.

Accept If protocol is UDP and destination port is ftp-data
Accept If protocol is UDP and destination port is ftp

Accept If protocol is TCP and destination port is ftp
Accept If protocol is TCP and destination port is domain

any suggestions as what I can look at to get ftp working? have not stopped firewall (not sure how). I'm behind a DSL router so it spossible that I need to enable something on that ?

thanks Brian

Webmin version 1.480
Virtualmin version 3.70 Pro

Operating system CentOS Linux 5.3
Perl version 5.008008 Path to Perl /usr/bin/perl
Postfix version 2.3.3 Mail injection command /usr/lib/sendmail -t
BIND version 9.3.4 Apache version 2.2.3
PHP version 5.1.6 Webalizer version 2.01-10
Logrotate version 3.7.4 MySQL version 5.0.45
ProFTPd version 1.30 SpamAssasssin version 3.2.5
ClamAV version 0.95.2

Tue, 07/28/2009 - 16:38
ronald
ronald's picture

you need to open port 21 on the router for the IP that the server is on by logging into the router, often http://192.168.1.1

Tue, 07/28/2009 - 18:20
duncanbbd

I forgto I already set Port 21to point to server.

tried disabling firewall, also also tried setting up port 20, but not able to as yet.

Tue, 07/28/2009 - 18:34
ronald
ronald's picture

then you need to find clues in your logs as to why it fails...

Fri, 07/31/2009 - 05:49
duncanbbd

thanks, can't find any clues :o(

have separate windows and linux computers behind router.

windows works fine as I can ftp and get access to the same server.

if I access a separate server (running Direct Admin) I can FTP it fine its only a problem when I am trying to connect to my new server from linux. I used 'sftp' and strangley that worked

have been browsing google to see if I can find any solution, but none as yet. I will keep looking.

point of the exercise is so I can do a backup of live server using 'wget' which does not work as it gives the same problem as ftp.

Brian

Sat, 08/01/2009 - 04:04
duncanbbd

have found that if I turn off the router firewall and set PASSIVE mode off then I can FTP into the server (which is a step forward :o) ) still can't get the ftp out though, so reckon it must be firwall on the test server at home.

Sat, 08/01/2009 - 04:12
duncanbbd

on my local server the firewall settings shows the following chain having a reject always. if i remove that I can now get the FTP to work. so some port needs to be enable, anybody any suggestions. should I add ports 20 and 21 in this chain even thoug they ar elisted in the chain Incoming packets (INPUT) ?

thnaks for any advice.

Chain RH-Firewall-1-INPUT Select all. | Invert selection. Action Condition Move Add
Accept If input interface is lo
Accept If protocol is ICMP and ICMP type is any
Accept If protocol is 50
Accept If protocol is 51
Accept If protocol is UDP and destination is 224.0.0.251 and destination port is 5353
Accept If protocol is UDP and destination port is 631
Accept If protocol is TCP and destination port is 631
Accept If state of connection is ESTABLISHED,RELATED
Accept If protocol is TCP and destination port is 22 and state of connection is NEW
Reject Always

Sat, 08/01/2009 - 04:44
ronald
ronald's picture

on top of Incoming packets (INPUT) you need:
Accept If protocol is TCP and destination port is ftp
Accept If protocol is UDP and destination port is ftp
Accept If protocol is UDP and destination port is ftp-data
Accept If protocol is TCP and destination port is ftp-data
you don't need them in the chain

what i have learned is to have lower numbers on top and high numbers below.
21
22
51
53
110
631

Sat, 08/01/2009 - 17:52
duncanbbd

cheers, I tried that but no difference. I can get it to work with turning off firewall in router and removing "Reject Always"

just need to make sure I always rememebr to tunr on firewall each time.

(though I am getting closer to finding out what the problem is :o) )

Sat, 08/01/2009 - 17:59
ronald
ronald's picture

odd, is your ftp server actually running on port 21 then ?

Sun, 08/02/2009 - 06:17
duncanbbd

yep, its odd :o)

I have not changed it so I am presuming it is. I will check the configuration.

thanks

Sun, 08/02/2009 - 07:00
ronald
ronald's picture

can you post the output of: # iptables -L

Sun, 08/02/2009 - 09:55
duncanbbd

Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ACCEPT udp -- anywhere anywhere udp dpt:ftp ACCEPT udp -- anywhere anywhere udp dpt:ftp-data ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:dnp ACCEPT tcp -- anywhere anywhere tcp dpt:ndmp ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:imaps ACCEPT tcp -- anywhere anywhere tcp dpt:imap ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:ssh RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT) target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Sun, 08/02/2009 - 12:24
ronald
ronald's picture

try:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ftp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ndmp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:dnp
REJECT     tcp  --  anywhere             anywhere            tcp dpt:0 reject-with icmp-port-unreachable
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

and

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere           
ACCEPT     ah   --  anywhere             anywhere           
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

After you save, you have to click apply configuration.

Mon, 08/03/2009 - 18:03
duncanbbd
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ftp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ndmp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:dnp
REJECT     tcp  --  anywhere             anywhere            tcp dpt:0 reject-with icmp-port-unreachable
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

only difference I see now is

ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh

which is the 4th line from the bottom.

Mon, 08/03/2009 - 18:15
ronald
ronald's picture

the ssh line shouldn't be there. it is already in the input before the RH chain. After you remove it and apply the configuration then the firewall shouldn't be the issue.

If ftp still doesn't work then the exact setup of your network would lead to more clues as to what can and what can not be done.

Tue, 08/04/2009 - 02:47
duncanbbd

have removed that line and still the same problem. I will need to look at it again later (probaly tomorrow) thanks for your help.

Topic locked