From Clay Harmon on Wed, 30 Dec 1998
I have just added an Intel Pentium Linux (Redhat 5.1) box to a heterogeneous network consisting of 2 Sun Solaris 2.5.1 workstations and 4 Win95 PCs. Everything has gone pretty much OK, only I can't establish an ftp connection from outside to my Linux box. If I try to ftp into the Linux box from the Sun stations, I get a "421 Service not available, remote server has closed connection" message. I have looked at the usual culprits, i.e. /etc/hosts.allow, and have enabled access to the ftp server for ALL. What is truly strange is that inetd "superdaemon" seems to work just fine for the finger, telnet AND rlogin services - I can access the Linux box from outside just fine using any of these, but the ftp server does not appear to be up. The only other piece of network weirdness I have noticed is that when the Linux station boots, I get an error on one of the Sysv init scripts:
Executing: /etc/rc.d/rc3.d/S10network reload
* route: netmask doesn't match route address * Usage: route [-nNvee] [-FC] [Address_families] List kernel routing tables
* ....... and so on and then
Executing: /etc/rc.d/rc3.d/S50inet restart
That probably is unrelated --- though you should check to make sure your routing tables are right. Are you running 'routed' or 'gated' to get your route dynamically?
The reasons that I don't believe this symptom is related to your FTP problem is that it's complaining about routing and you clearly are getting packets to and from the box (otherwise you wouldn't get the service unavailable message --- and finger/telnet and rlogin wouldn't work.
It also sounds like this probably isn't a TCP Wrappers problem --- since you presumably have all you services wrapped. However, you should check to make sure that your forward and reverse DNS zones are consistent --- since this classically can cause TCP wrappers to deny connections that would otherwise be allowed. (Normally tcpd is compiled with -DPARANOID enabled --- though Red Hat ships with it off, so you can explicitly use the PARANOID directive if you want -- but you don't get it unless you ask for it).
In any event it seems that the most likely case is that you have a problem in your inetd.conf file --- probably a path referring to non-existent in.ftpd. Did you install in.ftpd, WU ftpd or ProFTPd? You have to install some FTP daemon in order for the dispatche (inetd) to execute it.
So, make sure the package is installed. Make sure that the path listed in the /etc/inetd.conf is correct. Finally, look in /var/log/messages for any errors that inetd, tcpd, and/or in.ftpd (or its ilk) are reporting.
If all of that is O.K and things still don't work --- I'd look for something weird with one of the routers (some sort of packet filtering, network address translations or IP masquerading or something like that).
Incidentally, you mentioned "from outside" --- I hope you don't mean that your organization is allowing direct routable IP from the outside world (open Internet) all the way into your desktop workstations. If that's the case I'd highly reoommend a review of your security policies and an assets evaluation and risk assessment.
Your company can provide reasonably safe and secure remote access to it's employees without leaving itself wide open to every cracker that want another attack launch point and portscanning slave.
This may or may not be related to my problem.
I'm stumped. Everything else seems to work just fine - I can get out through our ISDN router to the net, Netscape works fine, and all of the other services seem to work just fine. I can use the ftp utility to access the Sun stations, and "get" files, but I would really like to be able to ftp from our PC's into the Linux box, without having to go through the complicated path of ftp'ing from PC to Solaris(put) and then from Linux to Solaris(get) to just transfer a simple file. I don't have the option currently of ftp'ing from Linux to PC, because Win95 does not have an ftp server as a standard option, so I would like to be able to ftp from PC to the Linux (put). I have the feeling there is something simple that I'm doing or not doing that would fix this problem.
Thanks for your help
Look for your ftpd program. There are several to choose from. I think Red Hat 5.1 uses 'in.ftpd' as re-ported from the OpenBSD sources. Most Linux distributions default to the Washington University (St. Louis) WU-FTPD. I've recommended others (such as ProFTPD, BeroFTPD, and ncftpd) in previous columns.