RHEL7 FTP server error: ftp: connect: No route to host solution
When setting up FTP server on Redhat 7 Linux box the following error message ftp:
connect: No route to host may pop-up during FTP client session:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,1,1,110,138,70).
ftp: connect: No route to host
ftp>
The cause of the above error is a missing ip_conntrack_ftp kernel module. Quick
fix solution is to load this module using modprobe:
# modprobe ip_conntrack_ftp
However, you will need to do this every time you reboot your RedHat server. Thus as
a more permanent solution you can persistently load this module after each reboot by
creating executable shell script within /etc/sysconfig/modules/ directory. Create
file /etc/sysconfig/modules/iptables.modules with the following content:
#!/bin/sh
exec /sbin/modprobe ip_conntrack_ftp >/dev/null 2>&1
Once you save this file you also need to make it executable:
# chmod +x /etc/sysconfig/modules/iptables.modules
The above script will load the following modules after each reboot:
[root@rhel7 ~]# lsmod | grep ftp
nf_conntrack_ftp              18638    0
nf_conntrack          101024 9
nf_nat,nf_nat_ipv4,nf_nat_ipv6,xt_conntrack,ip6table_nat,nf_conn
Title: Red Hat Enterprise Linux 7 - FTP Client Aborts With Error "Out
of memory" When Using 'mput' to Transfer Files
Object Name: emr_na-kc0132419en_us
Document Type: Support Information
Original owner: KCS - Linux
Disclosure level: Public
Version state: final
Environment
FACT:RHEL 7.2
FACT:ftp-0.17-66.el7
FACT:RHEL 6 versions prior to ftp-0.17-51.3
Questions/Symptoms
SYMPTOM:
ftp: Out of memory
Cause
CAUSE:ftp client available in RHEL 7.2 fails with error "Out of
memory"
when attempting to transfer multiple files with 'mput':
# ftp dl980g7
Connected to dl980g7 (10.26.8.8).
220 (vsFTPd 2.2.2)
Name (dl980g7:root): test
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mput host*
ftp: Out of memory
# echo $?
1
Transferring the files individually using 'put' works.
The latest RHEL 6 ftp client does not suffer from this problem;
the later
RHEL 6 ftp RPM changelog contains:
ek <jsynacek@redhat.com>
- 0.17-51.2
- fix 'Out of memory' message when stacksize is set to unlimited
- Resolves: #783868
However, the RHEL 7 changelog does not list these changes. This
is a bug in
the RHEL 7 ftp client; the RHEL 6 "unlimited stack" errata was
not included
in RHEL 7.
Answer/Solution
FIX:Red Hat identifies the problem on RHEL6 is due to an
unlimited stack
size in the shell environment.
Click here to access the article titled "FTP client on RHEL6.x
failed with 'ftp: Out of memory'". 
Several workarounds exist:
1. Before running 'ftp', change the stack size back to its
default value of 8KB. This prevents the "out of memory" failure:
# ulimit -s 8192
2. Use 'sftp' instead. The secure ftp client uses the standard
'sshd' server
and is strongly recommended.
3. Avoid using 'mput' to transfer multiple files at once.
    Red Hat is aware of the problem and is working on a fix for RHEL
    7 under
    private BZ#1304064. The fixed client is targeted for RHEL 7.3
    In this article, we discuss how to remedy the following error message in VSFTPD.
    500 OOPS: vsftpd: refusing to run with writable root inside chroot()
    Preflight Check
   These instructions are intended specifically for solving the error:
    500 OOPS: vsftpd: refusing to run with writable root inside chroot().
   We will be working from a Liquid Web Self Managed Fedora 32 server, and logged in as
    the root user.
    How to Repair
    This error may occur when attempting to connect to a vsftpd FTP server that is
    configured to jail (prevent from accessing other directories) each FTP user. It is best
    practice to create Linux users specifically for FTP, that can't log in via SSH. For example,
    if you wanted to remove SSH access for testuser, then you'd use the following
    command:
    usermod -s /sbin/nologin testuser
    However, that won't address the problem listed in the error. To do this, we must modify
    the user's home directory to read only. Assuming the username is testuser and the
    home directory is /home/testuser, then execute the following command:
    chmod a-w /home/testuser
    For good measure, be sure to restart vsftpd:
    systemctl restart vsftpd
    Alternative Fix
    Alternatively, you can bypass the writable check in the vsftpd config file by running the
    following command.
    echo 'allow_writeable_chroot=YES' >> /etc/vsftpd/vsftpd.conf && systemctl
    restart vsftpd
    FTP (File Transfer Protocol)
                                         
    By
   Sean Michael Kerner
   John Burke, Nemertes Research
    What is FTP (File Transfer Protocol)?
    FTP (File Transfer Protocol) is a network protocol for transmitting files
    between computers over Transmission Control Protocol/Internet Protocol
    (TCP/IP) connections. Within the TCP/IP suite, FTP is considered an
    application layer protocol.
    In an FTP transaction, the end user's computer is typically called the local
    host. The second computer involved in FTP is a remote host, which is usually
a server. Both computers need to be connected via a network and configured
properly to transfer files via FTP. Servers must be set up to run FTP services,
and the client must have FTP software installed to access these services.
Although many file transfers can be conducted using Hypertext Transfer
Protocol (HTTP) -- another protocol in the TCP/IP suite -- FTP is still
commonly used to transfer files behind the scenes for other applications, such
as banking services. It is also sometimes used to download new applications
via web browsers.
How does FTP work?
FTP is a client-server protocol that relies on two communications channels
between the client and server: a command channel for controlling the
conversation and a data channel for transmitting file content.
Here is how a typical FTP transfer works:
1. A user typically needs to log on to the FTP server, although some servers
   make some or all of their content available without a login, a model known
   as anonymous FTP.
2. The client initiates a conversation with the server when the user requests
   to download a file.
3. Using FTP, a client can upload, download, delete, rename, move and copy
   files on a server.
FTP sessions work in active or passive modes:
   Active mode. After a client initiates a session via a command channel
    request, the server creates a data connection back to the client and begins
    transferring data.
   Passive mode. The server uses the command channel to send the client
    the information it needs to open a data channel. Because passive mode
    has the client initiating all connections, it works well across firewalls
    and network address translation gateways.
Active FTP and passive FTP compared
Users can work with FTP via a simple command-line interface -- from a
console or terminal window in Microsoft Windows, Apple macOS or Linux -- or
with a dedicated graphical user interface. Web browsers can also serve as
FTP clients.
Why is FTP important and what is it used for?
FTP is a standard network protocol that can enable expansive file transfer
capabilities across IP networks. Without FTP, file and data transfer can be
managed with other mechanisms -- such as email or an HTTP web service --
but those other options lack the clarity of focus, precision and control that FTP
enables.
FTP is used for file transfers between one system and another, and it has
several common use cases, including the following:
   Backup. FTP can be used by backup services or individual users to
    backup data from one location to a secured backup server running FTP
    services.
   Replication. Similar to backup, replication involves duplication of data
    from one system to another but takes a more comprehensive approach to
    provide higher availability and resilience. FTP can also be used to facilitate
    this.
   Access and data loading. FTP is also commonly used to access shared
    web hosting and cloud services as a mechanism to load data onto a
    remote system.
FTP types
There are several different ways an FTP server and client software can
conduct a file transfer using FTP:
   Anonymous FTP. This is the most basic form of FTP. It provides support
    for data transfers without encrypting data or using a username and
    password. It's most commonly used for download of material that is
    allowed for unrestricted distribution. It works on port
   Password-protected FTP. This is also a basic FTP service, but it requires
    the use of a username and password, though the service might not be
    encrypted or secure. It also works on port 21.
   FTP Secure (FTPS). Sometimes referred to as FTP Secure Sockets Layer
    (FTP-SSL), this approach enables implicit Transport Layer Security (TLS)
    as soon as an FTP connection is established. FTPS was initially used to
    help enable a more secure form of FTP data transfer. It typically defaults to
    using port 990.
   FTP over explicit SSL/TLS (FTPES). This approach enables explicit TLS
    support by upgrading an FTP connection over port 21 to an encrypted
    connection. This is a commonly used approach by web and file sharing
    services to enable secure file transfers.
   Secure FTP (SFTP). This is technically not an FTP protocol, but it
    functions similarly. Rather, SFTP is a subset of the Secure Shell (SSH)
    protocol that runs over port 22. SSH is commonly used by systems
    administrators to remotely and securely access systems and applications,
    and SFTP provides a mechanism within SSH for secure file transfer.
FTP security
FTP was initially defined in 1971, predating TCP and IP, and it has been
redefined several times since then to accommodate new technologies,
including the use of TCP/IP, or Request for Comments 765 and RFC 959,
and IPv6, or RFC 2428.
FTP has also undergone several updates to enhance FTP security. These
include versions that encrypt via an implicit TLS connection (FTPS) or explicit
TLS connection (FTPES) or that work with SFTP.
By default, FTP does not encrypt traffic, and individuals can capture packets
to read usernames, passwords and other data. By encrypting FTP with FTPS
or FTPES, data is protected, limiting the ability of an attacker to eavesdrop on
a connection and steal data.
FTP may still be vulnerable to brute-force attacks against user/password
authentication spoofing, an FTP bounce attack or a distributed denial-of-
service attack.
History of FTP
The first specification for FTP was published as RFC 114 on April 16, 1971,
and was written by Abhay Bhushan, then a student at the Massachusetts
Institute of Technology. The original idea behind FTP was to enable the
transfer of files over ARPANET, the precursor to the internet.
As the modern internet began to take shape, the FTP specification underwent
several revisions to align with networking standards, including TCP/IP. In
1980, a new version of FTP was defined in RFC 765 by Jon Postel, a
research scientist at the Information Sciences Institute at the University of
Southern California at the time. Five years later, FTP was redefined yet again
with RFC 959, which introduced new management capabilities for the
protocol, including the ability to make and remove a file directory. Prior
iterations of FTP were largely limited to transferring files to and from existing
file directory structures.
In 1997, RFC 959 was updated with new capabilities defined in RFC 2228 to
provide security capabilities. Two years later, FTP was updated with RFC
2428 to support the IPv6 protocol.
FTP clients
FTP clients are used to upload, download and manage files on a server. FTP
clients include the following:
   FileZilla. This is a free FTP client for Windows, macOS and Linux that
    supports FTP, FTPS and SFTP.
   Transmit. This is an FTP client for macOS that supports FTP and SSH.
   WinSCP. This is a Windows FTP client that supports FTP, SSH and SFTP.
   WS_FTP. This is another Windows FTP client that supports SSH.
This was last updated in May 2021
The second digit is a grouping digit and encodes the following information:
Range Purpose
       x0x Syntax
        These replies refer to syntax errors, syntactically correct commands that don’t fit any
        functional category, unimplemented or superfluous commands.
       x1x Information
        These are replies to requests for information, such as status or help.
       x2x Connections
        Replies referring to the control and data connections.
       x3x Authentication and accounting
        Replies for the login process and accounting procedures.
       x4x Unspecified as of RFC 959.
       x5x File system
        These replies indicate the status of the Server file system vis-a-vis the requested
        transfer or other file system action.
Below is a list of all known return codes that may be issued by an FTP server.
       100 Series The requested action is being initiated, expect another reply before
        proceeding with a new command
       110 Restart marker reply. In this case, the text is exact and not left to the particular
        implementation; it must read: MARK yyyy = mmmm where yyyy is User-process data
        stream marker, and mmmm server’s equivalent marker (note the spaces between
        markers and “=”).
       120 Service ready in nnn minutes.
       125 Data connection already open; transfer starting.
       150 File status okay; about to open data connection.
       200 Command okay.
       202 Command not implemented, superfluous at this site.
       211 System status, or system help reply.
   212 Directory status.
   213 File status.
   214 Help message.On how to use the server or the meaning of a particular non-standard
    command. This reply is useful only to the human user.
   215 NAME system type. Where NAME is an official system name from the list in the
    Assigned Numbers document.
   220 Service ready for new user.
   221 Service closing control connection.
   225 Data connection open; no transfer in progress.
   226 Closing data connection. Requested file action successful (for example, file transfer
    or file abort).
   227 Entering Passive Mode (h1,h2,h3,h4,p1,p2).
   230 User logged in, proceed. Logged out if appropriate.
   250 Requested file action okay, completed.
   257 “PATHNAME” created.
   331 User name okay, need password.
   332 Need account for login.
   350 Requested file action pending further information
   421 Service not available, closing control connection.This may be a reply to any
    command if the service knows it must shut down.
   425 Can’t open data connection.
   426 Connection closed; transfer aborted.
   450 Requested file action not taken.
   451 Requested action aborted. Local error in processing.
   452 Requested action not taken. Insufficient storage space in system.File unavailable
    (e.g., file busy).
   500 Syntax error, command unrecognized. This may include errors such as command
    line too long.
   501 Syntax error in parameters or arguments.
   502 Command not implemented.
   503 Bad sequence of commands.
   504 Command not implemented for that parameter.
   530 Not logged in.
   532 Need account for storing files.
   550 Requested action not taken. File unavailable (e.g., file not found, no access).
   551 Requested action aborted. Page type unknown.
   552 Requested file action aborted. Exceeded storage allocation (for current directory or
    dataset).
   553 Requested action not taken. File name not allowed.
   600 Series Replies regarding confidentiality and integrity
   631 Integrity protected reply.
   632 Confidentiality and integrity protected reply.
   633 Confidentiality protected reply.
   10000 Series Common Winsock Error Codes (These are not FTP return codes)
   10054 Connection reset by peer. The connection was forcibly closed by the remote host.
   10060 Cannot connect to remote server.
   10061 Cannot connect to remote server. The connection is actively refused by the
    server.
   10066 Directory not empty.
   10068 Too many users, server is full.
Important FTP Commands Cheat sheet
A list of FTP commands that may be sent to an FTP server, including all commands that
are standardized in RFC 959 by the IETF (Internet Engineering Task Force).
RFC-  Stands for Request for Comments
      Command         RFC                      Description       
      ABOR                                            Abort an active file transfer.
      ACCT                                             Account information.
      ADAT                RFC 2228          Authentication/Security Data
      ALLO                                             Allocate sufficient disk space to receive a file.
      APPE                                             Append (with create)
      AUTH               RFC 2228           Authentication/Security Mechanism
      AVBL                                             Streamlined FTP Command Extensions Get the
       available space
      CCC                   RFC 2228          Clear Command Channel
      CDUP                                            Change to Parent Directory.
      CONF                RFC 2228          Confidentiality Protection Command
      CSID                                              Streamlined FTP Command Extensions Client /
       Server Identification
      CWD                 RFC 697             Change working directory.
      DELE                                             Delete file.
      DSIZ                                              Streamlined FTP Command Extensions Get the
       directory size
      ENC                  RFC 2228          Privacy Protected Channel
      EPRT                RFC 2428          Specifies an extended address and port to which the
       server should connect.
      EPSV                RFC 2428           Enter extended passive mode.
      FEAT                RFC 2389           Get the feature list implemented by the server.
      HELP                                             Returns usage documentation on a command if
       specified, else a general help document is returned.
      HOST               RFC 7151             Identify desired virtual host on server, by name.
      LANG               RFC 2640           Language Negotiation
      LIST                                               Returns information of a file or directory if specified,
       else information of the current working directory is returned.
      LPRT                RFC 1639            Specifies a long address and port to which the server
       should connect.
      LPSV                RFC 1639             Enter long passive mode.
      MDTM             RFC 3659            Return the last-modified time of a specified file.
      MFCT       The ‘MFMT’, ‘MFCT’, and ‘MFF’ Command Extensions for FTP      Modify the
       creation time of a file.
      MFF          The ‘MFMT’, ‘MFCT’, and ‘MFF’ Command Extensions for FTP      Modify fact
       (the last modification time, creation time, UNIX group/owner/mode of a file).
      MFMT      The ‘MFMT’, ‘MFCT’, and ‘MFF’ Command Extensions for FTP      Modify the
       last modification time of a file.
      MIC                 RFC 2228             Integrity Protected Command
      MKD                                               Make directory.
   MLSD             RFC 3659              Lists the contents of a directory if a directory is named.
   MLST             RFC 3659               Provides data about exactly the object named on its
    command line, and no others.
   MODE                                             Sets the transfer mode (Stream, Block, or
    Compressed).
   NLST                                               Returns a list of file names in a specified directory.
   NOOP                                              No operation (dummy packet; used mostly on
    keepalives).
   OPTS              RFC 2389              Select options for a feature (for example OPTS UTF8
    ON).
   PASS                                               Authentication password.
   PASV                                              Enter passive mode.
   PBSZ              RFC 2228              Protection Buffer Size
   PORT                                             Specifies an address and port to which the server
    should connect.
   PROT             RFC 2228              Data Channel Protection Level.
   PWD                                               Print working directory. Returns the current directory
    of the host.
   QUIT                                              Disconnect.
   REIN                                              Re initializes the connection.
   REST             RFC 3659              Restart transfer from the specified point.
   RETR                                            Retrieve a copy of the file
   RMD                                             Remove a directory.
   RMDA                                          Streamlined FTP Command Extensions Remove a
    directory tree
   RNFR                                           Rename from.
   RNTO                                           Rename to.
   SITE                                             Sends site specific commands to remote server (like
    SITE IDLE 60 or SITE UMASK 002). Inspect SITE
   HELP                                           Output for complete list of supported commands.
   SIZE              RFC 3659             Return the size of a file.
   SMNT                                          Mount file structure.
   SPSV        FTP Extension Allowing IP Forwarding (NATs)        Use single port passive
    mode (only one TCP port number for both control connections and passive-mode data
    connections)
   STAT                                           Returns the current status.
   STOR                                          Accept the data and to store the data as a file at the
    server site
   STOU                                          Store file uniquely.
   STRU                                          Set file transfer structure.
   SYST                                           Return system type.
   THMB                                        Streamlined FTP Command Extensions Get a thumbnail
    of a remote image file
   TYPE                                          Sets the transfer mode (ASCII/Binary).
   USER                                         Authentication username.
   XCUP             RFC 775            Change to the parent of the current working directory
   XMKD            RFC 775            Make a directory
   XPWD            RFC 775            Print the current working directory
   XRCP             RFC 743
   XRMD           RFC 775            Remove the directory
   XRSQ            RFC 743
          XSEM            RFC 737            Send, mail if cannot
          XSEN             RFC 737            Send to terminal
VSFTPD: Getting error 425 Failed to
establish connection, while listing directory
contents in RHEL 7 ?
 SOLUTION VERIFIED - Updated December 11 2019 at 10:30 AM - 
English 
Environment
          Red Hat Enterprise Linux 7.0
          vsftpd-3.0.2-9
          selinux-policy-3.13.1-23.el7.noarch
          selinux-policy-targeted-3.13.1-23.el7.noarch
          SELinux enabled in Enforcing mode
Issue
          FTP client getting error 425 Failed to establish connection, while listing directory contents in
           RHEL 7
          FTP server gets "connection refused" when establishing Active FTP to FTP client
          FTP client logs show:
Raw
200 PORT command successful. Consider using PASV.
425 Failed to establish connection.
          /var/log/audit/audit.log shows an SELinux permission denial:
Raw
type=AVC msg=audit(1404410045.618:1404): avc: denied { name_connect } for
pid=30686 comm="vsftpd" dest=63853 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
Resolution
This behaviour can be allowed in SELinux using the boolean ftpd_connect_all_unreserved.
The following command permanently applies the policy:
Raw
# setsebool -P ftpd_connect_all_unreserved 1
Root Cause
The default SELinux policy in early RHEL7 denies the FTP server (executing in ftpd_t) access
to connect to high-numbered sockets (in unreserved_port_t).
Diagnostic Steps
strace of ftp server process shows connect() returning EACCES:
Raw
19304 20:30:09.759007 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 6 <0.000058>
19304 20:30:09.759095 setsockopt(6, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 <0.000011>
19304 20:30:09.759148 bind(6, {sa_family=AF_INET, sin_port=htons(20),
sin_addr=inet_addr("10.0.0.27")}, 16) = 0 <0.000113>
19304 20:30:09.759387 connect(6, {sa_family=AF_INET, sin_port=htons(61519),
sin_addr=inet_addr("10.0.0.101")}, 16) = -1 EACCES (Permission denied) <0.000162>
There is an SELinux boolean relating to this:
Raw
# getsebool -a | grep ftp
ftpd_connect_all_unreserved --> off