ftp: no route to host

I am setting up a server at home (started ages ago, but too busy to get finished :o) )

and trying to get files from my real server by FTP. both servers have same version as listed below.
looking on the web it seems like a firewall problem.

rules show ftp and ftp-data ports as enabled.

Accept If protocol is UDP and destination port is ftp-data
Accept If protocol is UDP and destination port is ftp

Accept If protocol is TCP and destination port is ftp
Accept If protocol is TCP and destination port is domain

any suggestions as what I can look at to get ftp working?
have not stopped firewall (not sure how).
I’m behind a DSL router so it spossible that I need to enable something on that ?

thanks Brian

Webmin version 1.480
Virtualmin version 3.70 Pro

Operating system CentOS Linux 5.3
Perl version 5.008008
Path to Perl /usr/bin/perl
Postfix version 2.3.3
Mail injection command /usr/lib/sendmail -t
BIND version 9.3.4
Apache version 2.2.3
PHP version 5.1.6
Webalizer version 2.01-10
Logrotate version 3.7.4
MySQL version 5.0.45
ProFTPd version 1.30
SpamAssasssin version 3.2.5
ClamAV version 0.95.2

you need to open port 21 on the router for the IP that the server is on by logging into the router, often http://192.168.1.1

I forgto I already set Port 21to point to server.

tried disabling firewall, also
also tried setting up port 20, but not able to as yet.

then you need to find clues in your logs as to why it fails…

thanks, can’t find any clues :o(

have separate windows and linux computers behind router.

windows works fine as I can ftp and get access to the same server.

if I access a separate server (running Direct Admin) I can FTP it fine
its only a problem when I am trying to connect to my new server from linux.
I used ‘sftp’ and strangley that worked

have been browsing google to see if I can find any solution, but none as yet. I will keep looking.

point of the exercise is so I can do a backup of live server using ‘wget’ which does not work as it gives the same problem as ftp.

Brian

have found that if I turn off the router firewall and set PASSIVE mode off then I can FTP into the server (which is a step forward :o) )
still can’t get the ftp out though, so reckon it must be firwall on the test server at home.

on my local server the firewall settings shows the following chain having a reject always. if i remove that I can now get the FTP to work. so some port needs to be enable, anybody any suggestions. should I add ports 20 and 21 in this chain even thoug they ar elisted in the chain Incoming packets (INPUT) ?

thnaks for any advice.

Chain RH-Firewall-1-INPUT
Select all. | Invert selection.
Action Condition Move Add
Accept If input interface is lo
Accept If protocol is ICMP and ICMP type is any
Accept If protocol is 50
Accept If protocol is 51
Accept If protocol is UDP and destination is 224.0.0.251 and destination port is 5353
Accept If protocol is UDP and destination port is 631
Accept If protocol is TCP and destination port is 631
Accept If state of connection is ESTABLISHED,RELATED
Accept If protocol is TCP and destination port is 22 and state of connection is NEW
Reject Always

on top of Incoming packets (INPUT) you need:
Accept If protocol is TCP and destination port is ftp
Accept If protocol is UDP and destination port is ftp
Accept If protocol is UDP and destination port is ftp-data
Accept If protocol is TCP and destination port is ftp-data
you don’t need them in the chain

what i have learned is to have lower numbers on top and high numbers below.
21
22
51
53
110
631

cheers, I tried that but no difference. I can get it to work with turning off firewall in router and removing “Reject Always”

just need to make sure I always rememebr to tunr on firewall each time.

(though I am getting closer to finding out what the problem is :o) )

odd, is your ftp server actually running on port 21 then ?

yep, its odd :o)

I have not changed it so I am presuming it is. I will check the configuration.

thanks

can you post the output of: # iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp – anywhere anywhere tcp dpt:ftp
ACCEPT udp – anywhere anywhere udp dpt:ftp
ACCEPT udp – anywhere anywhere udp dpt:ftp-data
ACCEPT tcp – anywhere anywhere tcp dpt:ftp-data
ACCEPT udp – anywhere anywhere udp dpt:domain
ACCEPT tcp – anywhere anywhere tcp dpt:dnp
ACCEPT tcp – anywhere anywhere tcp dpt:ndmp
ACCEPT tcp – anywhere anywhere tcp dpt:https
ACCEPT tcp – anywhere anywhere tcp dpt:http
ACCEPT tcp – anywhere anywhere tcp dpt:imaps
ACCEPT tcp – anywhere anywhere tcp dpt:imap
ACCEPT tcp – anywhere anywhere tcp dpt:pop3s
ACCEPT tcp – anywhere anywhere tcp dpt:pop3
ACCEPT tcp – anywhere anywhere tcp dpt:domain
ACCEPT tcp – anywhere anywhere tcp dpt:smtp
ACCEPT tcp – anywhere anywhere tcp dpt:ssh
RH-Firewall-1-INPUT all – anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all – anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all – anywhere anywhere
ACCEPT icmp – anywhere anywhere icmp any
ACCEPT esp – anywhere anywhere
ACCEPT ah – anywhere anywhere
ACCEPT udp – anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp – anywhere anywhere udp dpt:ipp
ACCEPT tcp – anywhere anywhere tcp dpt:ipp
ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp – anywhere anywhere state NEW tcp dpt:ssh
REJECT all – anywhere anywhere reject-with icmp-port-unreachable

try:

After you save, you have to click apply configuration.

only difference I see now is

ACCEPT tcp – anywhere anywhere state NEW tcp dpt:ssh

which is the 4th line from the bottom.

the ssh line shouldn’t be there. it is already in the input before the RH chain.
After you remove it and apply the configuration then the firewall shouldn’t be the issue.

If ftp still doesn’t work then the exact setup of your network would lead to more clues as to what can and what can not be done.

have removed that line and still the same problem. I will need to look at it again later (probaly tomorrow)
thanks for your help.