Linux Lite Forums
Hardware - Support => Network => Topic started by: timbuck2 on January 01, 2019, 07:57:54 PM
-
Hello,
I have set up Linux Lite and have been using it for about a week.
I now want to set up ftp access to the computer.
I installed vsftpd and edited /etc/vsftpd.conf and can login through localhost.
But when I tried to ftp in from another machine in the house, it couldn't connect.
After some research I used ufw to allow ftp with:
sudo ufw allow ftp
but after restarting the firewall I still can't reach the Linux Lite machine from the other computer.
From the other computer I can ping the router 192.168.0.1 and www.google.com so I know it's working but can't get a ping response from the Linux Lite machine.
So I disabled the firewall with sudo ufw disable
and restarted the computer. Still can't get a ping response from the Linux Lite machine. The Linux Lite machine can ping the other machine, router, google.com, etc.
What can I do to get my other machine to ftp and ping the Linux Lite machine? Thanks for any help you can offer. I'm tearing my hair out with this one (the little I have left lol)
-
Hello timbuck2,
this is a tutorial for setting up on LL 3 series - https://www.digitalocean.com/community/tutorials/how-to-set-up-vsftpd-for-a-user-s-directory-on-ubuntu-16-04 (https://www.digitalocean.com/community/tutorials/how-to-set-up-vsftpd-for-a-user-s-directory-on-ubuntu-16-04)
This is tutorial for Ubuntu 18.04 unsure if it works on LL 4 series - https://www.digitalocean.com/community/tutorials/how-to-set-up-vsftpd-for-a-user-s-directory-on-ubuntu-18-04 (https://www.digitalocean.com/community/tutorials/how-to-set-up-vsftpd-for-a-user-s-directory-on-ubuntu-18-04)
-
Ok thanks I'll read the tutorial. I am just perplexed why I can't even ping the LL machine even with the firewall disabled??
Could there be any other security subsystem preventing this? I haven't used Linux in years since I had an old Gentoo installation and never had a problem interfacing between machine then but I haven't kept up on changes since then.
-
You wrote you rebooted after disabling the UFW, did you check the UFW status after rebooting to see if UFW was enabled again on reboot ?
for the command
sudo ufw allow ftp
it needs to say
sudo ufw allow port-number-here
Replacing port-number-here with the actual port number.
for example 20, 21, 990, 40000, 50000 as per the tutorial (second link)
-
Yes, it was disabled. I edited my previous post if you didn't see regarding ping.
-
Then when you check the firewall status you will see in the Rules the numbered rules for the ports you have set to open (to allow traffic) for using ftp.
-
Yes, this is what shows:
Status: active
To Action From
-- ------ ----
21/tcp ALLOW Anywhere
22/tcp ALLOW Anywhere
21/tcp (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
Also have after sudo iptables -L
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere ctstate INVALID
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
So I can't understand why a Ping is not responded to.
-
Could there be any other security subsystem preventing this?
iptables, UFW is a front end for it.
Look at the tutorial link #2, it explains it. https://www.digitalocean.com/community/tutorials/how-to-set-up-vsftpd-for-a-user-s-directory-on-ubuntu-18-04
-
So if I disable ufw, then iptables is still in effect? My iptable -L output is:
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere ctstate INVALID
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-forward (1 references)
target prot opt source destination
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination
When I try to stop iptables I get:
sudo service iptables stop
Failed to stop iptables.service: Unit iptables.service not loaded.
-
The rules need to be in usage order.
Earlier rules take higher value.
To prevent later rules being nulled by earlier rules you need to place those rules earlier than any that would null it, before those affecting re; drop.
example - allow all, then later add a rule to block an IP address it wont get blocked because the blocked IP is not set as rule 1 so it is nulled by the - allow all (including allow the blocked IP) , so it needs to use (insert 1) on the deny/reject for the specified ip, and so it will then override the allow all.
Meaning it blocks the IP specified in insert 1, as this is Rule #1, but allows all other IP that are not the ip in rule 1, as it perform allow all as Rule #2.
So you need to follow that reasoning with your rules, I don't know if the iptables rules or the ufw rules for it run first.
Eg; UFW default deny incoming , allow outgoing, if it runs first it will do as asked and Deny incoming etc.
With UFW being called a front end I am guessing that it might run first, but I am not sure, only guessing.
Someone with more experience will answer soon.
-
Eh I uninstalled and purged ufw. I will manually manage iptables. ufw had too much overhead for me and obfuscated my understanding of what is going on. Thanks for your help though. It helped me get back into iptables after so long. :)
-
Glad it was of some use for you in making your choice for LL your way :)
I want to suggest you check an app called fail2ban, it works with any firewall using iptables (including UFW), it is for people running servers like yourself.
-
Ok, something deeper than iptables is going on with LL 4.2.
I still can't even ping my LL machine for the other computer.
I flushed iptables with
sudo iptables -F
and allowed all chains to accept:
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
and still can't get a ping response from LL.
Any suggestions on what could be happening?
-
Setup another machine on the LAN and it can ping and ftp to the LL machine fine. I guess it's a problem on my first computer. :o
-
Check your BIOS on the unresponsive machine.
You can try this too: https://linux.die.net/man/8/dmidecode if you can't access BIOS normally.
Possible commands below:
dmidecode -t 24 and dmidecode -t 30
Otherwise look for other hard block switches on the system.
TC
-
No bios, this is a vintage Atari ST computer. Turned out it was the IOGear wired-to-wifi adapter causing the problems. I connected the computer directly to the router with a cat5 cable and everything works now. :)
-
One last issue remains. In my vsftpd.conf file I have the local_root set but the path has a directory with spaces in it and vsftpd won't switch to it and it dumps me in my home directory.
local_enable=YES
local_root=/mnt/windows/home/users/My FTP Files/
What is the proper way to format this line to allow the path with spaces in it?
-
Eh I just changed the directory name with no spaces lol. Linux and it's spaces issues. ::)
-
Eh I just changed the directory name with no spaces lol. Linux and it's spaces issues. ::)
It doesn't have any 'spaces issues'. Use back slashes like so:
/mnt/windows/home/users/My\ FTP\ Files/
-
Yes, I tried that of course but it dumped me to my linux home directory instead of the local_root until I took the spaces out of the pathname.
Btw, thanks for LL. It's a great distro and am really enjoying it. I donated $20 to the project.
-
Thank you timbuck2 :)
-
Thank you timbuck2 :)
yw, maybe it was because my vsftpd local_root directory was on a windows drive. Don't know but it's working fine now without the spaces.
I just became a LL Patreon supporter. Hope more people learn and use this lightweight, efficient distro!