Iptables eats file transfers

[problemchild]

Ok..... I've been trying to figure this out myself for about a week now, and I'm ready to throw in the towel and ask for help.

My home network is masqueraded through a Linux gateway/firewall box that drops all inbound traffic, and it seems that the firewall has been dropping file transfer requests from yahoo messenger. People keep saying, "Did you get it? Did you get it?" or "I'm waiting on you to accept" but I never get the requests. I would have thought that iptables' stateful inspection would catch that, but apparently not.

It hasn't really been a problem for me until the last couple of weeks. I've tried opening every port I can think of that Yahoo might use, and I've searched everywhere I know to look for an answer. Does anybody know what I need to open in the firewall to get this working?

[m!thr!l]

There are a couple things you could try since I can't find any doc on the port it uses. The first would be to connect and attempt a transfer and then run netstat -na and find out what port it is binding to. You could also run tcpdump and output to a file, then attempt a connection and look to see what port it is attempting to connect on. My suspicion is that it is a connection type similar to FTP where it opens a command channel first and then the server attempts to open a data connection. The data connection would be the one failing since it is trying to initiate a connection coming back into your network. Hope this helps....


Cheers,
m!thr!l

[slarty]

Dropping all inbound traffic would mean that you could see no web sites, use no IM programs and do absolutely nothing. All protocols require inbound traffic in order to work.

Because you've posted successfully, I'll assume you haven't configured it to drop all inbound traffic (to do so would be useless - you may as well leave the plug out)

If on the other hand, you have configured dynamic NAT to only accept packets which are in response to outbound traffic (perhaps via masquerading), then you obviously are accepting SOME inbound traffic.

Some IM programs use unsolicited inbound traffic to send certain types of transfer - these will only work with NAT if you forward the relevant ports.

If they use dynamic ports you're pretty stuffed. If there is more than one IM client behind your firewall, you are also stuffed because they firewall won't know who the unsolicited inbound traffic is for.

As mithril suggests, try and find out what local port it uses (try running netstat -a before and during its running and diff the output) - and forward that port/ports speculatively.

[problemchild]

only accept packets which are in response to outbound traffic (perhaps via masquerading), then you obviously are accepting SOME inbound traffic.

: That's what I meant. I assumed you guys would know I meant unsolicited traffic.

Thanks for the tips... I'll work on it some more tonight.