Solved

Linux Firewall Problem

Posted on 2011-03-07
6
810 Views
Last Modified: 2012-05-11
Hi! I have a problem with the firewall on one of my servers. Actually, I don't think it's a problem with the firewall itself, but rather something on my local IP address causing the remote firewall to trigger a rule that results in my IP address getting blocked so that I no longer have access to my remote system. I hope this makes sense.

What I'm trying to figure out is what's causing the firewall to block me.

The log sample is attached.

I know these blocks are triggered by an Ubuntu machine I have running here locally. There's a cron job on it that fetches some files from the remote server via FTP every 15 minutes or so, but apart from that, I've no idea where the connects are coming from, especially from and to strange TCP ports like SPT=59239 DPT=50817

Hopefully someone can help me figure this out.
Time:    Mon Mar  7 19:35:00 2011 +0000
IP:      109.xxx.xxx.xxx (EU/-/-)
Hits:    11
Blocked: Temporary Block

Sample of block hits:
Mar  7 19:30:06 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=30225 DF PROTO=TCP SPT=59239 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:30:09 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=30238 DF PROTO=TCP SPT=59239 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:30:15 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=30433 DF PROTO=TCP SPT=59239 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:31:39 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=597 DF PROTO=TCP SPT=59258 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:31:42 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=603 DF PROTO=TCP SPT=59258 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:31:48 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=768 DF PROTO=TCP SPT=59258 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:33:20 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=5043 DF PROTO=TCP SPT=59315 DPT=47838 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:33:23 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=5053 DF PROTO=TCP SPT=59315 DPT=47838 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:33:29 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=5063 DF PROTO=TCP SPT=59315 DPT=47838 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:34:54 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=5730 DF PROTO=TCP SPT=59328 DPT=47838 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:34:57 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=5733 DF PROTO=TCP SPT=59328 DPT=47838 WINDOW=8192 RES=0x00 SYN URGP=0

Open in new window

0
Comment
Question by:Julian Matz
  • 3
6 Comments
 
LVL 8

Accepted Solution

by:
ragnarok89 earned 350 total points
Comment Utility
If you install wireshark, you'll be able to trace the source. It's a great tool for exactly thins kind of thing.
0
 
LVL 6

Assisted Solution

by:t-max
t-max earned 150 total points
Comment Utility
You connect to the ftp with an active or a passive connection?
Do you know if your firewall has a rule for established and related connections?
Do you get locked always at the same time of the day (around 19:30)? Did you check the cron of your system and users on the ubuntu machine?
Have you checked other logs on both machines to cross reference the data on that time frame (7th March ~19:30)?
Wireshark will give you more data if you know when and where to look for it, but generates tons of it, and it's not straightforward to understand it. I hope my questions will help you find the source of it.  
0
 
LVL 21

Author Comment

by:Julian Matz
Comment Utility
Sorry for the delay in getting back to this.

I'm not sure if passive or active. This is what I've been using to FTP:
cd $path && /usr/bin/wget --ftp-user='$FTPuser' --ftp-password='$FTPpass' -r -S -N ftp://$FTPhost/$filename

Open in new window


I did try Wireshark, but the problem seems to have gone away after I increased the intervals at which my script did its FTP routines.
0
 
LVL 21

Author Comment

by:Julian Matz
Comment Utility
I'm going to close this and award points since I'm sure Wireshark would have been the solution (or at least part of the solution) had my problem persisted.
0
 
LVL 21

Author Comment

by:Julian Matz
Comment Utility
I'd like to close this and award points since I'm sure Wireshark would have been the solution (or at least part of the solution) had my problem persisted.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now