Sunday, 4 January 2015

RHEL/CentOS - [Errno 14] PYCURL ERROR 7 - "couldn't connect to host" - FTP

​I had an ERROR which was mentioned in the subject line, I would like to share with you all as how did I troubleshoot.

I had an YUM server repository on which I had installed firewall in recent times, I had set all my INPUT rules to make sure that port 21 is allowed to communicate between the clients. However, FTP client's were able to connect the FTP server on port 21, where as YUM was unable to fetch the repository file and was failing with below ERROR.


# yum list all
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
ftp://192.168.156.107/tftpboot/centos6/repodata/repomd.xml: [Errno 14] PYCURL ERROR 7 - "couldn't connect to host"
Trying other mirror.
Error: Cannot retrieve repository metadata (repomd.xml) for repository: centos66. Please verify its path and try again

I tried to download one of the file from the FTP server and I was known that when client is trying for passive connection to the FTP, there was no route to the host to connect.

230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,156,107,54,76).
ftp: connect: No route to host
ftp> 

I thought to get the reader to know the below as basic information, hence describing about active/passive methods.

Active mode:

In an active mode configuration, the server will attempt to connect to a random client-side port. So chances are, that port wouldn't be one of those predefined ports. As a result, an attempt to connect to it will be blocked by the firewall and no connection will be established. 


Passive mode:

A passive configuration will not have this problem since the client will be the one initiating the connection.So it would be best for you to configure server to support passive mode FTP. However, passive mode would make your system vulnerable to attacks because clients are supposed to connect to random server ports. To mitigate the risks, a good solution would be to specify a range of ports on your server and then to allow only that range of ports on your firewall.

Firewall was not allowing my passive FTP connection, below steps were been performed to resolve this issue.

-create a file and reboot the server so that Kernel module would be loaded and will be persistent across reboots.


# cat  /etc/sysconfig/modules/iptables.modules 
#!/bin/sh
exec /sbin/modprobe ip_conntrack_ftp >/dev/null 2>&1
#

#chmod +x /etc/sysconfig/modules/iptables.modules
#

# lsmod | grep ftp
nf_conntrack_ftp       10475  0 
nf_conntrack           66229  6 ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4,xt_state,nf_conntrack_ftp
#

I am now able to connect to my YUM repository with FTP as a protocol.

# ftp ftpserver
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> !ls
anaconda-ks.cfg  install.log  install.log.syslog  
ftp> bye
#

# yum list all | wc -l
3287

sharing this article publicly as this could save time for anyone who is facing this ERROR.