Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Linux Firewall Problem

Posted on 2011-03-07
6
Medium Priority
?
946 Views
Last Modified: 2012-05-11
Hi! I have a problem with the firewall on one of my servers. Actually, I don't think it's a problem with the firewall itself, but rather something on my local IP address causing the remote firewall to trigger a rule that results in my IP address getting blocked so that I no longer have access to my remote system. I hope this makes sense.

What I'm trying to figure out is what's causing the firewall to block me.

The log sample is attached.

I know these blocks are triggered by an Ubuntu machine I have running here locally. There's a cron job on it that fetches some files from the remote server via FTP every 15 minutes or so, but apart from that, I've no idea where the connects are coming from, especially from and to strange TCP ports like SPT=59239 DPT=50817

Hopefully someone can help me figure this out.
Time:    Mon Mar  7 19:35:00 2011 +0000
IP:      109.xxx.xxx.xxx (EU/-/-)
Hits:    11
Blocked: Temporary Block

Sample of block hits:
Mar  7 19:30:06 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=30225 DF PROTO=TCP SPT=59239 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:30:09 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=30238 DF PROTO=TCP SPT=59239 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:30:15 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=30433 DF PROTO=TCP SPT=59239 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:31:39 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=597 DF PROTO=TCP SPT=59258 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:31:42 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=603 DF PROTO=TCP SPT=59258 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:31:48 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=768 DF PROTO=TCP SPT=59258 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:33:20 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=5043 DF PROTO=TCP SPT=59315 DPT=47838 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:33:23 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=5053 DF PROTO=TCP SPT=59315 DPT=47838 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:33:29 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=5063 DF PROTO=TCP SPT=59315 DPT=47838 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:34:54 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=5730 DF PROTO=TCP SPT=59328 DPT=47838 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:34:57 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=5733 DF PROTO=TCP SPT=59328 DPT=47838 WINDOW=8192 RES=0x00 SYN URGP=0

Open in new window

0
Comment
Question by:Julian Matz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
6 Comments
 
LVL 8

Accepted Solution

by:
ragnarok89 earned 1400 total points
ID: 35060792
If you install wireshark, you'll be able to trace the source. It's a great tool for exactly thins kind of thing.
0
 
LVL 6

Assisted Solution

by:t-max
t-max earned 600 total points
ID: 35063314
You connect to the ftp with an active or a passive connection?
Do you know if your firewall has a rule for established and related connections?
Do you get locked always at the same time of the day (around 19:30)? Did you check the cron of your system and users on the ubuntu machine?
Have you checked other logs on both machines to cross reference the data on that time frame (7th March ~19:30)?
Wireshark will give you more data if you know when and where to look for it, but generates tons of it, and it's not straightforward to understand it. I hope my questions will help you find the source of it.  
0
 
LVL 21

Author Comment

by:Julian Matz
ID: 35192432
Sorry for the delay in getting back to this.

I'm not sure if passive or active. This is what I've been using to FTP:
cd $path && /usr/bin/wget --ftp-user='$FTPuser' --ftp-password='$FTPpass' -r -S -N ftp://$FTPhost/$filename

Open in new window


I did try Wireshark, but the problem seems to have gone away after I increased the intervals at which my script did its FTP routines.
0
 
LVL 21

Author Comment

by:Julian Matz
ID: 35409345
I'm going to close this and award points since I'm sure Wireshark would have been the solution (or at least part of the solution) had my problem persisted.
0
 
LVL 21

Author Comment

by:Julian Matz
ID: 35409349
I'd like to close this and award points since I'm sure Wireshark would have been the solution (or at least part of the solution) had my problem persisted.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question