LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 05-30-2002, 03:10 PM   #1
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
IPTABLES: Why does FTP need auth packets?


I am in the process of setting up an iptables firewall for one of my boxes and its at about 98% right now. The only thing that isn't working correctly is a slow FTP startup process. When I connect to the server, the connection hangs for a few seconds, then logs in and everything continues at normal speeds. I am using active FTP to get around my router-in-a-box that connects to the internet.

I set up some logging in the firewall to try and figure out what is going on. According to the logs, it turns out that the server is trying to send a series of SYN packets on port 113 (the auth port AFAIK) to the client box a few seconds BEFORE the FTP session is succesfully opened. The firewall is blocking this (as it probably should be), but I am curious 1) why it is trying to do this, and 2) if it is neccesary why iptables doesn't see the state of these packets as RELATED or ESTABLISHED to the FTP connection and allow them that way. I see this in the logs every time I connect to the server via FTP. Below is a segment of my firewall if that will help. TIA.

INPUT (policy DROP):
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data state RELATED,ESTABLISHED

OUTPUT (policy DROP):
ACCEPT tcp -- anywhere anywhere tcp spt:ftp state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data state RELATED,ESTABLISHED
 
Old 05-30-2002, 03:43 PM   #2
kill-hup
Member
 
Registered: Aug 2000
Location: NY - USA
Distribution: Slackware
Posts: 109

Rep: Reputation: 15
The port 113 connection is the server trying to get an ident response for your connection, to grab the user running the ftp connection process. Most people do not run ident services any more, but you can't blame the FTP server for trying

You might be better off specifically rejecting AUTH requests at the firewall, if you're not running identd or similar.
 
Old 05-30-2002, 10:04 PM   #3
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Original Poster
Rep: Reputation: 30
Some interesting results....

Well I've spent all afternoon testing this thing. I found that there are actually packets going BOTH ways on port 113 when an FTP connection is initiated. If I drop the the outgoing packets, it takes about 40 seconds to log in completely (some sort of time out maybe?). If I accept the packets in both directions, everything flies and the connection is initiated right away. If I drop the incoming packets only, the handshake is faster, but not as fast as when I accept them. If I reject the packets in both directions, there is about a 6 second delay between when the SYN packet is sent and when the LIST is recieved by the client. Does anyone see anything significant about this pattern?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES - How to allow all packets from a certain address exitsfunnel Linux - Networking 3 09-06-2005 11:35 PM
Forwarding packets with Iptables DrunkenDisciple Linux - Software 2 07-25-2005 12:00 AM
ProFTP and AUTH packets RJ76 Linux - Networking 4 06-08-2005 04:38 PM
iptables (Fragmented packets) qwijibow Linux - Security 2 09-02-2003 07:40 AM
Iptables letting packets through? mccomber Linux - Security 9 08-05-2003 08:13 AM


All times are GMT -5. The time now is 08:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration