Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

establishing ftp connection very slow with iptables-1.2.2

Status
Not open for further replies.
adm

adm

Technical User
Sep 14, 2001
8
CZ
Hi all,

I upgraded from ipchains to iptables 1.2.2 with kernel 2.4.8.
Establishing FTP connection to this machine from my internal LAN takes 10 sec with applied firewall rules, when I flush all rules and set default policy to accept, connection time si less than 1 sec. In both cases trasfer time of files via ftp is comparable, all other protocols seems unchanged in speed too. I have opened input ports 20 and 21 (both tcp and udp protocol) and all icmp packets, output is allowed to destination ports 1024:65535 (+ some services such http, domain, smtp etc.) Is it normal or something's wrong?

thanks for any ideas
 
Sort by date Sort by votes
Hi,

Sounds strange.. If you are using 'proper' (versus passive) ftp you need to allow outbound initiated connections on port 20. This is because the session is established from client to host 21 and the host then establishes a data channel back to the client from port 20. (This makes it tricky to firewall properly as you might imagine). So try to open outbound port 20 and see what happens...

Rgds
 
Upvote 0 Downvote
I never have had a problem with this, it is strange as remarked on above..
set your debug high , run tcpdump against ports 20/21 and/or
automate the process with a script where you can time the
waits.
Most times ftp and telnet are the "miners canary" of
name resolution problems. Check your nsswitch and associ-
ated services.
Good Luck
 
Upvote 0 Downvote
Yes, it sounds strange ...... after this even more:
I experimented with OUTPUT chain but connection time was still approx. 10 sec even after I flushed it and set default OUTPUT policy to accept. After I set default INPUT policy to accept, I connected in 1 sec, so I thought problem is in input chain. I tried to tcpdump all traffic to see what ports are used on linux box when I'm connecting to proftpd running on it. There was only communication with name server (through domain port) and with my ftp client through ports ftp and ftp-data on destination machine, so ... everything OK.
It seems it should be some iptables version specific problem (but I cannot downgrade iptables because the kernel version). Maybe it due to recent security bug related to ftp with iptables - now I'm using MDK distribution kernel 2.4.8-23mdk with iptables 1.2.2-7mdk. I also tried to modprobe ip_conntrack_ftp but id didnt help. I will wait to new iptables rpm release, 10 sec delay with ftp connection is not so vital for me. But it's really strange ...

thanks for effort
 
Upvote 0 Downvote
You may have a delay if your FTP server or netfilter logging is doing reverse DNS lookups. A reverse DNS lookup is where the server attempts to get the DNS name for the IP that just connected to it.

To test the possability of DNS lookups being the source of the delay, temporarily add the clinet test box's IP to /etc/hosts on the server, like this.

2.3.4.5 ftpclient.mycorp.com
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

harro1968
  • Locked
  • Question
Help with ProxyPass
Replies
0
Views
154
harro1968
harro1968
CecilXavier
  • Locked
  • Question
RHEL IDM with Radius not authenticating
Replies
0
Views
185
CecilXavier
CecilXavier
mjj4golf2
  • Locked
  • Question
Help with setting up a media server
Replies
2
Views
209
vacunita
vacunita
TSch
  • Locked
  • Question
Problem with NFS automount
Replies
1
Views
137
iggsterman
iggsterman
RedLinux
  • Locked
  • Question
Login session issues with HTTP headers
Replies
0
Views
116
RedLinux
RedLinux

Part and Inventory Search

Sponsor

Back
Top