[rhn-users] possible problem with ip_conntrack_ftp ESTABLISHED state in 2.6.9-22 kernel

Jared Marcum marcum at mers.byu.edu
Thu Mar 16 15:37:48 UTC 2006 

I'm new to rhn and RHEL, so I'm not sure if I should ask this question 
on this list or submit a bug, or both. I'm doing both just in case.

I have a problem which appears to be related to the ip_conntrack_ftp
module in iptables for the 2.6.9-22 kernel. I have *no* problems with 
RHEL3U7 and the 2.4.21-40 kernel.

Here's my setup:
RHEL4U2
kernel-2.6.9-22.EL
Contents of /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.2.119.0/24 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 21 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j
ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j LOG --log-level debug
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Problem description:
When I ftp data off of my server with the firewall on, it always hangs 
at around 450K of data transferred. It works fine with the firewall off. 
Like I mentioned before, I have no problems with the 2.4.21-40 kernel 
with RHEL3. I tried updating the kernel to 2.6.9-34 and I see the same 
behavior.
I turned on ethereal. The problem always happens when the client starts 
sending duplicate ACKs and the server tries to retransmit the lost 
packets. Another further client communication does not get accepted by 
the firewall and is rejected with the "host administratively down" 
message given by the firewall. /proc/net/ipv4/ip_conntrack still show 
the connection as ESTABLISHED, but the firewall logging shows that the 
same connection is being blocked.
I do not have the same problems http or https traffic. Again, it works 
fine with the same setup on RHEL3 with the 2.4.21-40 kernel.

Any help/guidance would be greatly appreciated.

Thanks,

-- 
Jared Marcum
Brigham Young University
Microwave Earth Remote Sensing
Computer Systems Administrator
marcum at mers.byu.edu
801-422-1105

More information about the rhn-users mailing list