Iptables eats file transfers
Results 1 to 4 of 4

Thread: Iptables eats file transfers

  1. #1
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Posts
    551

    Iptables eats file transfers

    Ok..... I've been trying to figure this out myself for about a week now, and I'm ready to throw in the towel and ask for help.

    My home network is masqueraded through a Linux gateway/firewall box that drops all inbound traffic, and it seems that the firewall has been dropping file transfer requests from yahoo messenger. People keep saying, "Did you get it? Did you get it?" or "I'm waiting on you to accept" but I never get the requests. I would have thought that iptables' stateful inspection would catch that, but apparently not.

    It hasn't really been a problem for me until the last couple of weeks. I've tried opening every port I can think of that Yahoo might use, and I've searched everywhere I know to look for an answer. Does anybody know what I need to open in the firewall to get this working?
    Do what you want with the girl, but leave me alone!

  2. #2
    Junior Member
    Join Date
    Aug 2002
    Posts
    14

    Several Suggestions

    There are a couple things you could try since I can't find any doc on the port it uses. The first would be to connect and attempt a transfer and then run netstat -na and find out what port it is binding to. You could also run tcpdump and output to a file, then attempt a connection and look to see what port it is attempting to connect on. My suspicion is that it is a connection type similar to FTP where it opens a command channel first and then the server attempts to open a data connection. The data connection would be the one failing since it is trying to initiate a connection coming back into your network. Hope this helps....


    Cheers,
    m!thr!l

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Dropping all inbound traffic would mean that you could see no web sites, use no IM programs and do absolutely nothing. All protocols require inbound traffic in order to work.

    Because you've posted successfully, I'll assume you haven't configured it to drop all inbound traffic (to do so would be useless - you may as well leave the plug out)

    If on the other hand, you have configured dynamic NAT to only accept packets which are in response to outbound traffic (perhaps via masquerading), then you obviously are accepting SOME inbound traffic.

    Some IM programs use unsolicited inbound traffic to send certain types of transfer - these will only work with NAT if you forward the relevant ports.

    If they use dynamic ports you're pretty stuffed. If there is more than one IM client behind your firewall, you are also stuffed because they firewall won't know who the unsolicited inbound traffic is for.

    As mithril suggests, try and find out what local port it uses (try running netstat -a before and during its running and diff the output) - and forward that port/ports speculatively.

  4. #4
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Posts
    551
    only accept packets which are in response to outbound traffic (perhaps via masquerading), then you obviously are accepting SOME inbound traffic.
    : That's what I meant. I assumed you guys would know I meant unsolicited traffic.

    Thanks for the tips... I'll work on it some more tonight.
    Do what you want with the girl, but leave me alone!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •