LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 03-28-2007, 03:57 PM   #1
AleLinuxBSD
Member
 
Registered: May 2006
Location: Italy
Distribution: Ubuntu, ArchLinux, Debian, SL, OpenBSD
Posts: 272

Rep: Reputation: 37
Unhappy Upload Ftp & IpTables.


I have a big problem while i try to upload my files in my hosting spaces.
The problem resides in the input chain. :-(
This is the piece of code involved:

IFEXT="eth0"
..............
# If specify drop the ftp upload doesn't function.
$IPTABLES -P INPUT DROP
# $IPTABLES -P INPUT ACCEPT
...............
$IPTABLES -A INPUT -p tcp -i $IFEXT -m state -s 0/0 --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p icmp -i $IFEXT -m state -s 0/0 --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p udp -i $IFEXT -m state -s 0/0 --state RELATED,ESTABLISHED -j ACCEPT

I'm very happy if someone will succeed to resolve this large problem. :-(

Bye Alessandro

Note:
I'm talking to passive ftp.
I'm have only one computer connected to internet through a router hardware.
In this router i don't have set up nothing.

Last edited by AleLinuxBSD; 03-28-2007 at 04:00 PM.
 
Old 03-28-2007, 09:28 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
make sure you have the FTP conntrack module loaded:
Code:
modprobe ip_conntrack_ftp
passive FTP mode uses a random port, so netfilter needs this helper module in order to inspect the FTP content to determine the port... then it will be able to match the packets to the RELATED,ESTABLISHED rule...

BTW, those three lines of RELATED,ESTABLISHED rules you have can be condensed by using only one rule for all:
Code:
$IPTABLES -A INPUT-m state --state RELATED,ESTABLISHED -j ACCEPT
also, it's not related to the issue at hand, but you do have a rule for the loopback interface further below, right?? just making sure...

Last edited by win32sux; 03-28-2007 at 10:28 PM.
 
Old 03-29-2007, 03:26 AM   #3
AleLinuxBSD
Member
 
Registered: May 2006
Location: Italy
Distribution: Ubuntu, ArchLinux, Debian, SL, OpenBSD
Posts: 272

Original Poster
Rep: Reputation: 37
I have:

modprobe ip_conntrack_ftp

And for the loopback i use these istructions:
IFLO="lo"
....
$IPTABLES -A INPUT -i $IFLO -j ACCEPT
$IPTABLES -A OUTPUT -o $IFLO -j ACCEPT

Sometimes my problem is manifested immediately when I try to make upload ftp but many times it's manifested when i try upload many file via ftp, to a sure point the transfer goes in stall and there isn't way in order to make to continue it or to resume it.

Bye Alessandro :-(

Note.
However I'm appreciate your interest and your explanation.
 
Old 03-29-2007, 03:57 AM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
okay, considering you said that it only happens when the INPUT policy is set to DROP, then appending a LOG rule should show us exactly what packets are getting filtered when the problem manifests itself... if you could post what the logs look like while the probolem occurs someone should be able to help you figure it out:
Code:
iptables -A INPUT -j LOG --log-prefix "INPUT DROP: "
 
1 members found this post helpful.
Old 03-29-2007, 07:47 AM   #5
AleLinuxBSD
Member
 
Registered: May 2006
Location: Italy
Distribution: Ubuntu, ArchLinux, Debian, SL, OpenBSD
Posts: 272

Original Poster
Rep: Reputation: 37
Wonderful.
You are a very kind person!

input drop
==========
Code:
Mar 29 13:24:03 athlon64 kernel: [17199767.984000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=66.249.91.99 DST=192.168.1.64 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=45247 PROTO=TCP SPT=80 DPT=35825 WINDOW=8190 RES=0x00 ACK FIN URGP=0 
Mar 29 13:24:03 athlon64 kernel: [17199768.100000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=66.249.91.99 DST=192.168.1.64 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=35574 PROTO=TCP SPT=80 DPT=35825 WINDOW=8190 RES=0x00 ACK URGP=0 
Mar 29 13:24:07 athlon64 kernel: [17199771.228000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=88.149.128.12 DST=192.168.1.64 LEN=119 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=UDP SPT=53 DPT=33420 LEN=99 
Mar 29 13:24:07 athlon64 kernel: [17199771.292000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=88.149.128.12 DST=192.168.1.64 LEN=167 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=UDP SPT=53 DPT=33420 LEN=147 
Mar 29 13:24:07 athlon64 kernel: [17199771.312000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=88.149.128.12 DST=192.168.1.64 LEN=153 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=UDP SPT=53 DPT=33420 LEN=133 
Mar 29 13:24:07 athlon64 kernel: [17199771.464000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=TCP SPT=21 DPT=32944 WINDOW=5792 RES=0x00 ACK SYN URGP=0 
Mar 29 13:24:07 athlon64 kernel: [17199771.620000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=307 TOS=0x10 PREC=0x00 TTL=49 ID=41003 DF PROTO=TCP SPT=21 DPT=32944 WINDOW=5792 RES=0x00 ACK PSH URGP=0 
Mar 29 13:24:07 athlon64 kernel: [17199771.772000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=52 TOS=0x10 PREC=0x00 TTL=49 ID=41004 DF PROTO=TCP SPT=21 DPT=32944 WINDOW=5792 RES=0x00 ACK URGP=0 
Mar 29 13:24:07 athlon64 kernel: [17199771.776000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=93 TOS=0x10 PREC=0x00 TTL=49 ID=41005 DF PROTO=TCP SPT=21 DPT=32944 WINDOW=5792 RES=0x00 ACK PSH URGP=0 
Mar 29 13:24:07 athlon64 kernel: [17199771.960000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=52 TOS=0x10 PREC=0x00 TTL=49 ID=41006 DF PROTO=TCP SPT=21 DPT=32944 WINDOW=5792 RES=0x00 ACK URGP=0 
Mar 29 13:24:07 athlon64 kernel: [17199772.032000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=145 TOS=0x10 PREC=0x00 TTL=49 ID=41007 DF PROTO=TCP SPT=21 DPT=32944 WINDOW=5792 RES=0x00 ACK PSH URGP=0 
Mar 29 13:24:07 athlon64 kernel: [17199772.180000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=52 TOS=0x10 PREC=0x00 TTL=49 ID=41008 DF PROTO=TCP SPT=21 DPT=32944 WINDOW=5792 RES=0x00 ACK URGP=0 
Mar 29 13:24:07 athlon64 kernel: [17199772.184000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=71 TOS=0x10 PREC=0x00 TTL=49 ID=41009 DF PROTO=TCP SPT=21 DPT=32944 WINDOW=5792 RES=0x00 ACK PSH URGP=0 
Mar 29 13:24:08 athlon64 kernel: [17199772.332000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=82 TOS=0x10 PREC=0x00 TTL=49 ID=41010 DF PROTO=TCP SPT=21 DPT=32944 WINDOW=5792 RES=0x00 ACK PSH URGP=0 
Mar 29 13:24:08 athlon64 kernel: [17199772.484000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=86 TOS=0x10 PREC=0x00 TTL=49 ID=41011 DF PROTO=TCP SPT=21 DPT=32944 WINDOW=5792 RES=0x00 ACK PSH URGP=0 
Mar 29 13:24:08 athlon64 kernel: [17199772.640000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=101 TOS=0x10 PREC=0x00 TTL=49 ID=41012 DF PROTO=TCP SPT=21 DPT=32944 WINDOW=5792 RES=0x00 ACK PSH URGP=0 
Mar 29 13:24:08 athlon64 kernel: [17199772.788000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=TCP SPT=52100 DPT=54545 WINDOW=5792 RES=0x00 ACK SYN URGP=0 
Mar 29 13:24:08 athlon64 kernel: [17199772.940000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=82 TOS=0x10 PREC=0x00 TTL=49 ID=41013 DF PROTO=TCP SPT=21 DPT=32944 WINDOW=5792 RES=0x00 ACK PSH URGP=0 
Mar 29 13:24:08 athlon64 kernel: [17199772.960000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=1492 TOS=0x08 PREC=0x00 TTL=49 ID=33756 DF PROTO=TCP SPT=52100 DPT=54545 WINDOW=5792 RES=0x00 ACK URGP=0 
Mar 29 13:24:08 athlon64 kernel: [17199772.960000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=74 TOS=0x08 PREC=0x00 TTL=49 ID=33757 DF PROTO=TCP SPT=52100 DPT=54545 WINDOW=5792 RES=0x00 ACK PSH URGP=0 
Mar 29 13:24:08 athlon64 kernel: [17199772.964000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=52 TOS=0x08 PREC=0x00 TTL=49 ID=33758 DF PROTO=TCP SPT=52100 DPT=54545 WINDOW=5792 RES=0x00 ACK FIN URGP=0 
Mar 29 13:24:08 athlon64 kernel: [17199772.964000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=106 TOS=0x10 PREC=0x00 TTL=49 ID=41014 DF PROTO=TCP SPT=21 DPT=32944 WINDOW=5792 RES=0x00 ACK PSH URGP=0 
Mar 29 13:24:08 athlon64 kernel: [17199773.116000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=52 TOS=0x08 PREC=0x00 TTL=49 ID=33759 DF PROTO=TCP SPT=52100 DPT=54545 WINDOW=5792 RES=0x00 ACK URGP=0 
Mar 29 13:24:11 athlon64 kernel: [17199775.624000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=95 TOS=0x10 PREC=0x00 TTL=49 ID=41015 DF PROTO=TCP SPT=21 DPT=32944 WINDOW=5792 RES=0x00 ACK PSH URGP=0 
Mar 29 13:24:11 athlon64 kernel: [17199775.780000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=97 TOS=0x10 PREC=0x00 TTL=49 ID=41016 DF PROTO=TCP SPT=21 DPT=32944 WINDOW=5792 RES=0x00 ACK PSH URGP=0 
Mar 29 13:24:11 athlon64 kernel: [17199775.940000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=100 TOS=0x10 PREC=0x00 TTL=49 ID=41017 DF PROTO=TCP SPT=21 DPT=32944 WINDOW=5792 RES=0x00 ACK PSH URGP=0 
Mar 29 13:24:11 athlon64 kernel: [17199776.092000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=TCP SPT=15216 DPT=59138 WINDOW=5792 RES=0x00 ACK SYN URGP=0 
Mar 29 13:24:11 athlon64 kernel: [17199776.244000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=82 TOS=0x10 PREC=0x00 TTL=49 ID=41018 DF PROTO=TCP SPT=21 DPT=32944 WINDOW=5792 RES=0x00 ACK PSH URGP=0 
Mar 29 13:24:12 athlon64 kernel: [17199776.248000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=106 TOS=0x10 PREC=0x00 TTL=49 ID=41019 DF PROTO=TCP SPT=21 DPT=32944 WINDOW=5792 RES=0x00 ACK PSH URGP=0 
Mar 29 13:24:12 athlon64 kernel: [17199776.268000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=775 TOS=0x08 PREC=0x00 TTL=49 ID=37953 DF PROTO=TCP SPT=15216 DPT=59138 WINDOW=5792 RES=0x00 ACK PSH URGP=0 
Mar 29 13:24:12 athlon64 kernel: [17199776.272000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=52 TOS=0x08 PREC=0x00 TTL=49 ID=37954 DF PROTO=TCP SPT=15216 DPT=59138 WINDOW=5792 RES=0x00 ACK FIN URGP=0 
Mar 29 13:24:12 athlon64 kernel: [17199776.420000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=52 TOS=0x08 PREC=0x00 TTL=49 ID=37955 DF PROTO=TCP SPT=15216 DPT=59138 WINDOW=5792 RES=0x00 ACK URGP=0 
Mar 29 13:24:24 athlon64 kernel: [17199788.340000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=75 TOS=0x10 PREC=0x00 TTL=49 ID=41020 DF PROTO=TCP SPT=21 DPT=32944 WINDOW=5792 RES=0x00 ACK PSH URGP=0 
Mar 29 13:24:24 athlon64 kernel: [17199788.496000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=100 TOS=0x10 PREC=0x00 TTL=49 ID=41021 DF PROTO=TCP SPT=21 DPT=32944 WINDOW=5792 RES=0x00 ACK PSH URGP=0 
Mar 29 13:24:24 athlon64 kernel: [17199788.644000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=TCP SPT=51216 DPT=58289 WINDOW=5792 RES=0x00 ACK SYN URGP=0 
Mar 29 13:24:24 athlon64 kernel: [17199788.796000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=82 TOS=0x10 PREC=0x00 TTL=49 ID=41022 DF PROTO=TCP SPT=21 DPT=32944 WINDOW=5792 RES=0x00 ACK PSH URGP=0 
Mar 29 13:24:24 athlon64 kernel: [17199788.800000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=192.168.1.1 DST=192.168.1.64 LEN=576 TOS=0x00 PREC=0xC0 TTL=255 ID=18652 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.64 DST=70.86.155.2 LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=51775 DF PROTO=TCP SPT=58289 DPT=51215 WINDOW=1460 RES=0x00 ACK URGP=0 ] MTU=1492 
Mar 29 13:24:24 athlon64 kernel: [17199788.956000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=64 TOS=0x08 PREC=0x00 TTL=49 ID=39505 DF PROTO=TCP SPT=51216 DPT=58289 WINDOW=5792 RES=0x00 ACK URGP=0 
Mar 29 13:24:24 athlon64 kernel: [17199788.960000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=64 TOS=0x08 PREC=0x00 TTL=49 ID=39506 DF PROTO=TCP SPT=51216 DPT=58289 WINDOW=5792 RES=0x00 ACK URGP=0 
Mar 29 13:24:25 athlon64 kernel: [17199789.504000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=192.168.1.1 DST=192.168.1.64 LEN=576 TOS=0x00 PREC=0xC0 TTL=255 ID=18653 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.64 DST=70.86.155.2 LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=51778 DF PROTO=TCP SPT=58289 DPT=51215 WINDOW=1460 RES=0x00 ACK URGP=0 ] MTU=1492 
Mar 29 13:24:26 athlon64 kernel: [17199790.920000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=192.168.1.1 DST=192.168.1.64 LEN=576 TOS=0x00 PREC=0xC0 TTL=255 ID=18654 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.64 DST=70.86.155.2 LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=51779 DF PROTO=TCP SPT=58289 DPT=51215 WINDOW=1460 RES=0x00 ACK URGP=0 ] MTU=1492 
Mar 29 13:24:27 athlon64 kernel: [17199791.880000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=88.149.128.12 DST=192.168.1.64 LEN=128 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=UDP SPT=53 DPT=33420 LEN=108 
Mar 29 13:24:27 athlon64 kernel: [17199791.908000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=88.149.128.12 DST=192.168.1.64 LEN=320 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=UDP SPT=53 DPT=33420 LEN=300 
Mar 29 13:24:27 athlon64 kernel: [17199791.964000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=66.249.93.147 DST=192.168.1.64 LEN=44 TOS=0x00 PREC=0x00 TTL=243 ID=61121 PROTO=TCP SPT=80 DPT=40705 WINDOW=8190 RES=0x00 ACK SYN URGP=0 
Mar 29 13:24:27 athlon64 kernel: [17199792.032000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=66.249.93.147 DST=192.168.1.64 LEN=40 TOS=0x10 PREC=0x00 TTL=52 ID=26165 PROTO=TCP SPT=80 DPT=40705 WINDOW=6432 RES=0x00 ACK URGP=0 
Mar 29 13:24:27 athlon64 kernel: [17199792.076000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=66.249.93.147 DST=192.168.1.64 LEN=589 TOS=0x10 PREC=0x00 TTL=52 ID=26166 PROTO=TCP SPT=80 DPT=40705 WINDOW=6432 RES=0x00 ACK PSH URGP=0 
Mar 29 13:24:27 athlon64 kernel: [17199792.096000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=88.149.128.12 DST=192.168.1.64 LEN=155 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=UDP SPT=53 DPT=33420 LEN=135 
Mar 29 13:24:27 athlon64 kernel: [17199792.124000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=88.149.128.12 DST=192.168.1.64 LEN=347 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=UDP SPT=53 DPT=33420 LEN=327 
Mar 29 13:24:27 athlon64 kernel: [17199792.184000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=66.249.93.104 DST=192.168.1.64 LEN=44 TOS=0x00 PREC=0x00 TTL=243 ID=60329 PROTO=TCP SPT=80 DPT=54144 WINDOW=8190 RES=0x00 ACK SYN URGP=0 
Mar 29 13:24:28 athlon64 kernel: [17199792.252000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=66.249.93.104 DST=192.168.1.64 LEN=40 TOS=0x10 PREC=0x00 TTL=52 ID=21610 PROTO=TCP SPT=80 DPT=54144 WINDOW=6432 RES=0x00 ACK URGP=0 
Mar 29 13:24:28 athlon64 kernel: [17199792.324000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=66.249.93.104 DST=192.168.1.64 LEN=1470 TOS=0x10 PREC=0x00 TTL=52 ID=21614 PROTO=TCP SPT=80 DPT=54144 WINDOW=6432 RES=0x00 ACK URGP=0 
Mar 29 13:24:28 athlon64 kernel: [17199792.364000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=66.249.93.104 DST=192.168.1.64 LEN=1470 TOS=0x10 PREC=0x00 TTL=52 ID=21615 PROTO=TCP SPT=80 DPT=54144 WINDOW=6432 RES=0x00 ACK URGP=0 
Mar 29 13:24:28 athlon64 kernel: [17199792.372000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=66.249.93.104 DST=192.168.1.64 LEN=327 TOS=0x10 PREC=0x00 TTL=52 ID=21616 PROTO=TCP SPT=80 DPT=54144 WINDOW=6432 RES=0x00 ACK PSH URGP=0 
Mar 29 13:24:28 athlon64 kernel: [17199792.432000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=66.249.93.147 DST=192.168.1.64 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=57632 PROTO=TCP SPT=80 DPT=40705 WINDOW=8190 RES=0x00 ACK FIN URGP=0 
Mar 29 13:24:28 athlon64 kernel: [17199792.432000] INPUT 
........
Bye Alessandro

Note:
Sorry but i don't know how send attach file with this forum.

Thanks win32sux to learn me the use of the tag code.

If someone said me how i send two file, one when the input is drop and another when it is accept.

Last edited by AleLinuxBSD; 03-29-2007 at 02:41 PM.
 
Old 03-29-2007, 12:55 PM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
well, this looks like the first FTP packet to get sent to DROP in the entries you posted:
Quote:
Mar 29 13:24:07 athlon64 kernel: [17199771.464000] INPUT DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=70.86.155.2 DST=192.168.1.64 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=TCP SPT=21 DPT=32944 WINDOW=5792 RES=0x00 ACK SYN URGP=0
considering it's a ACK/SYN packet, it would seem to me that the TCP handshake isn't getting a chance to finish... so we need to find why the packet isn't matching any of your ACCEPT rules... please post the output of (make sure your terminal window is maximized):
Code:
iptables -nvL
try using [code] tags when posting outputs...

Last edited by win32sux; 03-29-2007 at 12:57 PM.
 
Old 03-29-2007, 02:58 PM   #7
AleLinuxBSD
Member
 
Registered: May 2006
Location: Italy
Distribution: Ubuntu, ArchLinux, Debian, SL, OpenBSD
Posts: 272

Original Poster
Rep: Reputation: 37
This is the output:
Code:
Chain INPUT (policy DROP 8 packets, 4608 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  132 31143 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `INPUT_DROP: ' 
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
  124 26535 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 2 packets, 104 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
  178 33520 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED
when i try to upload a file i have a message:
"transfer stalled, unknown time remaining".

win32sux if you want i send you my firewall.

Bye Alessandro
 
Old 03-29-2007, 04:48 PM   #8
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by AleLinuxBSD
This is the output:
Code:
Chain INPUT (policy DROP 8 packets, 4608 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  132 31143 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `INPUT_DROP: ' 
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
  124 26535 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 2 packets, 104 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
  178 33520 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED
okay, if this was how your rules were when you obtained the log entries above then i understand why you have so many entries... the LOG rule should be the last one in the chain, that way it only sends to LOG packets which are gonna run smack into the policy... this script will set things right:
Code:
#!/bin/sh

IPT="/sbin/iptables"

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "
you should then have a config that looks like this:
Code:
Chain INPUT (policy DROP 2 packets, 1152 bytes)
 pkts bytes target     prot opt in     out     source               destination
 6197 5458K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
   17  1020 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `INPUT DROP: '

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 6033 packets, 1275K bytes)
 pkts bytes target     prot opt in     out     source               destination
now try with that and post the log entries which you get during the problem... we should now be able too see only the packets which were sent to DROP...
 
Old 03-29-2007, 05:31 PM   #9
AleLinuxBSD
Member
 
Registered: May 2006
Location: Italy
Distribution: Ubuntu, ArchLinux, Debian, SL, OpenBSD
Posts: 272

Original Poster
Rep: Reputation: 37
This is my log after your indications.

Code:
[17200539.448000] INPUT__DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=192.168.1.1 DST=192.168.1.64 LEN=576 TOS=0x00 PREC=0xC0 TTL=255 ID=60495 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.64 DST=70.86.155.2 LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=2135 DF PROTO=TCP SPT=48407 DPT=20172 WINDOW=1460 RES=0x00 ACK URGP=0 ] MTU=1492 
[17200540.196000] INPUT__DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=192.168.1.1 DST=192.168.1.64 LEN=576 TOS=0x00 PREC=0xC0 TTL=255 ID=60496 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.64 DST=70.86.155.2 LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=2138 DF PROTO=TCP SPT=48407 DPT=20172 WINDOW=1460 RES=0x00 ACK URGP=0 ] MTU=1492 
[17200541.700000] INPUT__DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=192.168.1.1 DST=192.168.1.64 LEN=576 TOS=0x00 PREC=0xC0 TTL=255 ID=60497 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.64 DST=70.86.155.2 LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=2139 DF PROTO=TCP SPT=48407 DPT=20172 WINDOW=1460 RES=0x00 ACK URGP=0 ] MTU=1492 
[17200544.708000] INPUT__DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=192.168.1.1 DST=192.168.1.64 LEN=576 TOS=0x00 PREC=0xC0 TTL=255 ID=60498 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.64 DST=70.86.155.2 LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=2140 DF PROTO=TCP SPT=48407 DPT=20172 WINDOW=1460 RES=0x00 ACK URGP=0 ] MTU=1492 
[17200550.724000] INPUT__DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=192.168.1.1 DST=192.168.1.64 LEN=576 TOS=0x00 PREC=0xC0 TTL=255 ID=60499 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.64 DST=70.86.155.2 LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=2142 DF PROTO=TCP SPT=48407 DPT=20172 WINDOW=1460 RES=0x00 ACK URGP=0 ] MTU=1492 
[17200562.756000] INPUT__DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=192.168.1.1 DST=192.168.1.64 LEN=576 TOS=0x00 PREC=0xC0 TTL=255 ID=60500 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.64 DST=70.86.155.2 LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=2143 DF PROTO=TCP SPT=48407 DPT=20172 WINDOW=1460 RES=0x00 ACK URGP=0 ] MTU=1492 
[17200586.820000] INPUT__DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=192.168.1.1 DST=192.168.1.64 LEN=576 TOS=0x00 PREC=0xC0 TTL=255 ID=60501 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.64 DST=70.86.155.2 LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=2144 DF PROTO=TCP SPT=48407 DPT=20172 WINDOW=1460 RES=0x00 ACK URGP=0 ] MTU=1492 
[17200634.948000] INPUT__DROP: IN=eth0 OUT= MAC=00:15:f2:5c:2f:46:00:16:b6:0a:67:a6:08:00 SRC=192.168.1.1 DST=192.168.1.64 LEN=576 TOS=0x00 PREC=0xC0 TTL=255 ID=60502 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.1.64 DST=70.86.155.2 LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=2145 DF PROTO=TCP SPT=48407 DPT=20172 WINDOW=1460 RES=0x00 ACK URGP=0 ] MTU=1492
Code:
Chain INPUT (policy DROP 8 packets, 4608 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
   43  5656 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    8  4608 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `INPUT__DROP: ' 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
   59 15061 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED
Code:
IPTABLES="/sbin/iptables"
....
	$IPTABLES -A INPUT  -i $IFLO -j ACCEPT
       $IPTABLES -A INPUT  -i $IFEXT -m state --state RELATED,ESTABLISHED -j ACCEPT
        $IPTABLES  -A INPUT -j LOG --log-prefix "INPUT__DROP: "
Alessandro

Last edited by AleLinuxBSD; 03-29-2007 at 05:40 PM.
 
Old 03-29-2007, 06:15 PM   #10
almatic
Member
 
Registered: Mar 2007
Distribution: Debian
Posts: 547

Rep: Reputation: 67
Hello,

you didn't open the output chain, as win32sux has suggested. Type

iptables -P OUTPUT ACCEPT

Then try again.
 
Old 03-29-2007, 08:46 PM   #11
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
192.168.1.1 is your router/gateway, right?? test if this works-around the problem (add it right before the LOG rule):
Code:
iptables -A INPUT -p ICMP --icmp-type 3 -s 192.168.1.1 -j ACCEPT
also let's see the MTU part of your ifconfig...

one question: is the problem happening on all ftp sites or just a few??

Last edited by win32sux; 03-29-2007 at 08:59 PM.
 
1 members found this post helpful.
Old 03-30-2007, 03:53 AM   #12
AleLinuxBSD
Member
 
Registered: May 2006
Location: Italy
Distribution: Ubuntu, ArchLinux, Debian, SL, OpenBSD
Posts: 272

Original Poster
Rep: Reputation: 37
Yes it's the Ip of my router/gateway and i have verify the same problem using many ftp client and my web space (i have more then one web space, under constructions).

I have specifing your instructions and incredible
it seems to work!
Now i have tried to copy (stop and restart) many files in my web space and all it has gone smooth.

Thank a lot.

Do you learn me how you have understand the problem?
I have ask the same question in many forum without solution.

For increment the security of this istructions I have thought next to something of the sort.

iptables -A INPUT -p ICMP --icmp-type 3 -s 192.168.1.1 -m limit --limit 1/s -j ACCEPT

But i don't know if exist a system to know the right value to specity in that istruction.

Moreover I have thought, in order to increase the security ulteriorly, to create a script bash where I insert this rule in the correct place and after (in the same script) start logon ftp.
When i close ftp i delete this rule on the fly.
Do you like this solution?

Bye Alessandro

Last edited by AleLinuxBSD; 03-30-2007 at 07:28 AM.
 
  


Reply

Tags
firewall, ftp, iptables, upload


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP & iptables firewall hct224 Linux - Newbie 9 05-04-2012 02:43 PM
iptables masquerading & active ftp connections PowerMatt Linux - Networking 2 10-20-2005 06:02 PM
Cant upload to another FTP brandog Linux - Software 1 05-03-2003 03:47 PM
iptables & inbound ftp, ssh bddwyer Linux - Networking 3 02-06-2003 10:27 AM
ftp upload hotrodowner Linux - Networking 20 10-11-2002 05:23 PM


All times are GMT -5. The time now is 07:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration