Solved

Linux Firewall Problem

Posted on 2011-03-07
6
854 Views
Last Modified: 2012-05-11
Hi! I have a problem with the firewall on one of my servers. Actually, I don't think it's a problem with the firewall itself, but rather something on my local IP address causing the remote firewall to trigger a rule that results in my IP address getting blocked so that I no longer have access to my remote system. I hope this makes sense.

What I'm trying to figure out is what's causing the firewall to block me.

The log sample is attached.

I know these blocks are triggered by an Ubuntu machine I have running here locally. There's a cron job on it that fetches some files from the remote server via FTP every 15 minutes or so, but apart from that, I've no idea where the connects are coming from, especially from and to strange TCP ports like SPT=59239 DPT=50817

Hopefully someone can help me figure this out.
Time:    Mon Mar  7 19:35:00 2011 +0000
IP:      109.xxx.xxx.xxx (EU/-/-)
Hits:    11
Blocked: Temporary Block

Sample of block hits:
Mar  7 19:30:06 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=30225 DF PROTO=TCP SPT=59239 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:30:09 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=30238 DF PROTO=TCP SPT=59239 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:30:15 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=30433 DF PROTO=TCP SPT=59239 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:31:39 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=597 DF PROTO=TCP SPT=59258 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:31:42 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=603 DF PROTO=TCP SPT=59258 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:31:48 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=768 DF PROTO=TCP SPT=59258 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:33:20 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=5043 DF PROTO=TCP SPT=59315 DPT=47838 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:33:23 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=5053 DF PROTO=TCP SPT=59315 DPT=47838 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:33:29 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=5063 DF PROTO=TCP SPT=59315 DPT=47838 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:34:54 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=5730 DF PROTO=TCP SPT=59328 DPT=47838 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:34:57 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=5733 DF PROTO=TCP SPT=59328 DPT=47838 WINDOW=8192 RES=0x00 SYN URGP=0

Open in new window

0
Comment
Question by:Julian Matz
  • 3
6 Comments
 
LVL 8

Accepted Solution

by:
ragnarok89 earned 350 total points
ID: 35060792
If you install wireshark, you'll be able to trace the source. It's a great tool for exactly thins kind of thing.
0
 
LVL 6

Assisted Solution

by:t-max
t-max earned 150 total points
ID: 35063314
You connect to the ftp with an active or a passive connection?
Do you know if your firewall has a rule for established and related connections?
Do you get locked always at the same time of the day (around 19:30)? Did you check the cron of your system and users on the ubuntu machine?
Have you checked other logs on both machines to cross reference the data on that time frame (7th March ~19:30)?
Wireshark will give you more data if you know when and where to look for it, but generates tons of it, and it's not straightforward to understand it. I hope my questions will help you find the source of it.  
0
 
LVL 21

Author Comment

by:Julian Matz
ID: 35192432
Sorry for the delay in getting back to this.

I'm not sure if passive or active. This is what I've been using to FTP:
cd $path && /usr/bin/wget --ftp-user='$FTPuser' --ftp-password='$FTPpass' -r -S -N ftp://$FTPhost/$filename

Open in new window


I did try Wireshark, but the problem seems to have gone away after I increased the intervals at which my script did its FTP routines.
0
 
LVL 21

Author Comment

by:Julian Matz
ID: 35409345
I'm going to close this and award points since I'm sure Wireshark would have been the solution (or at least part of the solution) had my problem persisted.
0
 
LVL 21

Author Comment

by:Julian Matz
ID: 35409349
I'd like to close this and award points since I'm sure Wireshark would have been the solution (or at least part of the solution) had my problem persisted.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question