|
List Info
Thread: Interesting problem with conntrack and ftp
|
|
| Interesting problem with conntrack and
ftp |
|
2006-03-19 00:37:39 |
On Fri, 17 Mar 2006, Alexander Samad wrote:
> Hi
>
> I was resently setting up my new firewall usimng
openwrt on a linksys.
>
> I got around to setting up my adsl connection and added
into my iptables
> these commands
>
>
>
> $IPT -t filter -A FORWARD -m state --state
RELATED,ESTABLISHED -j ACCEPT
> $IPT -t filter -A FORWARD -o $WANADSL -p tcp
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
> $IPT -t nat -A POSTROUTING -o $WANADSL -j MASQUERADE
>
> which is what I have normally done.
>
> http traffic worked well, but ftp of large files, timed
out, sign of a
> mtu problem. It worked when I ftp'ed from the
firewall, but not when I
> did it from behind the firewall.
>
> When I did some tcpdumps, I noticed that the second
connection created
> by the client wasn't being clamp'ed.
>
> The way I figure it was that the second connection was
related to the
> first one, and thus being consumed by the first line in
iptables (above)
>
> Once I changed the order of line 1 and 2 every thing
worked fine.
>
> Now openwrt uses 2.4.30, and my previous firewall used
2.6 and I believe
> it was setup as shown above and it worked fine.
>
> The other difference is that conntrack_ftp is compiled
into the kernel.
>
> Is this a know feature/bug ? why has it worked in 2.6
and not in 2.4 or
> is the problem in compiled in and as a module
The solution is simple: TCPMSS should be used only in mangle
table.
Anyway, if you didn't change the configuration I have no
idea why it
worked in 2.6 and does not work in 2.4.
Best regards,
Krzysztof Olędzki |
|
| Interesting problem with conntrack and
ftp |
|
2006-03-19 04:38:43 |
On Sun, Mar 19, 2006 at 01:37:39AM +0100, Krzysztof Oledzki
wrote:
>
>
> On Fri, 17 Mar 2006, Alexander Samad wrote:
>
> >Hi
> >
> >I was resently setting up my new firewall usimng
openwrt on a linksys.
> >
> >I got around to setting up my adsl connection and
added into my iptables
> >these commands
> >
> >
> >
> >$IPT -t filter -A FORWARD -m state --state
RELATED,ESTABLISHED -j ACCEPT
> >$IPT -t filter -A FORWARD -o $WANADSL -p tcp
--tcp-flags SYN,RST SYN -j
> >TCPMSS --clamp-mss-to-pmtu
> >$IPT -t nat -A POSTROUTING -o $WANADSL -j
MASQUERADE
> >
> >which is what I have normally done.
> >
> >http traffic worked well, but ftp of large files,
timed out, sign of a
> >mtu problem. It worked when I ftp'ed from the
firewall, but not when I
> >did it from behind the firewall.
> >
> >When I did some tcpdumps, I noticed that the second
connection created
> >by the client wasn't being clamp'ed.
> >
> >The way I figure it was that the second connection
was related to the
> >first one, and thus being consumed by the first
line in iptables (above)
> >
> >Once I changed the order of line 1 and 2 every
thing worked fine.
> >
> >Now openwrt uses 2.4.30, and my previous firewall
used 2.6 and I believe
> >it was setup as shown above and it worked fine.
> >
> >The other difference is that conntrack_ftp is
compiled into the kernel.
> >
> >Is this a know feature/bug ? why has it worked in
2.6 and not in 2.4 or
> >is the problem in compiled in and as a module
>
> The solution is simple: TCPMSS should be used only in
mangle table.
> Anyway, if you didn't change the configuration I have
no idea why it
> worked in 2.6 and does not work in 2.4.
makes sense, ran foul of the man page
Workaround: activate this option and add a rule to
your firewall
configuration like:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN
\
-j TCPMSS --clamp-mss-to-pmtu
>
> Best regards,
>
> Krzysztof Ol?dzki
|
|
| Interesting problem with conntrack and
ftp |
|
2006-03-19 12:09:54 |
On Sun, 19 Mar 2006, Alexander Samad wrote:
> On Sun, Mar 19, 2006 at 01:37:39AM +0100, Krzysztof
Oledzki wrote:
>>
>>
>> On Fri, 17 Mar 2006, Alexander Samad wrote:
>>
>>> Hi
>>>
>>> I was resently setting up my new firewall
usimng openwrt on a linksys.
>>>
>>> I got around to setting up my adsl connection
and added into my iptables
>>> these commands
>>>
>>>
>>>
>>> $IPT -t filter -A FORWARD -m state --state
RELATED,ESTABLISHED -j ACCEPT
>>> $IPT -t filter -A FORWARD -o $WANADSL -p tcp
--tcp-flags SYN,RST SYN -j
>>> TCPMSS --clamp-mss-to-pmtu
>>> $IPT -t nat -A POSTROUTING -o $WANADSL -j
MASQUERADE
>>>
>>> which is what I have normally done.
>>>
>>> http traffic worked well, but ftp of large
files, timed out, sign of a
>>> mtu problem. It worked when I ftp'ed from the
firewall, but not when I
>>> did it from behind the firewall.
>>>
>>> When I did some tcpdumps, I noticed that the
second connection created
>>> by the client wasn't being clamp'ed.
>>>
>>> The way I figure it was that the second
connection was related to the
>>> first one, and thus being consumed by the first
line in iptables (above)
>>>
>>> Once I changed the order of line 1 and 2 every
thing worked fine.
>>>
>>> Now openwrt uses 2.4.30, and my previous
firewall used 2.6 and I believe
>>> it was setup as shown above and it worked fine.
>>>
>>> The other difference is that conntrack_ftp is
compiled into the kernel.
>>>
>>> Is this a know feature/bug ? why has it worked
in 2.6 and not in 2.4 or
>>> is the problem in compiled in and as a module
>>
>> The solution is simple: TCPMSS should be used only
in mangle table.
>> Anyway, if you didn't change the configuration I
have no idea why it
>> worked in 2.6 and does not work in 2.4.
>
> makes sense, ran foul of the man page
>
> Workaround: activate this option and add a rule
to your firewall
> configuration like:
> iptables -A FORWARD -p tcp --tcp-flags SYN,RST
SYN \
> -j TCPMSS --clamp-mss-to-pmtu
You must have some old version of this man page (and probaby
iptables).
Current version contains:
Workaround: activate this option and add a rule to your
firewall
configuration like:
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST
SYN \
-j TCPMSS --clamp-mss-to-pmtu
Best regards,
Krzysztof Olędzki |
|
[1-3]
|
|