Solved

Linux Firewall Problem

Posted on 2011-03-07
6
889 Views
Last Modified: 2012-05-11
Hi! I have a problem with the firewall on one of my servers. Actually, I don't think it's a problem with the firewall itself, but rather something on my local IP address causing the remote firewall to trigger a rule that results in my IP address getting blocked so that I no longer have access to my remote system. I hope this makes sense.

What I'm trying to figure out is what's causing the firewall to block me.

The log sample is attached.

I know these blocks are triggered by an Ubuntu machine I have running here locally. There's a cron job on it that fetches some files from the remote server via FTP every 15 minutes or so, but apart from that, I've no idea where the connects are coming from, especially from and to strange TCP ports like SPT=59239 DPT=50817

Hopefully someone can help me figure this out.
Time:    Mon Mar  7 19:35:00 2011 +0000
IP:      109.xxx.xxx.xxx (EU/-/-)
Hits:    11
Blocked: Temporary Block

Sample of block hits:
Mar  7 19:30:06 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=30225 DF PROTO=TCP SPT=59239 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:30:09 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=30238 DF PROTO=TCP SPT=59239 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:30:15 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=30433 DF PROTO=TCP SPT=59239 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:31:39 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=597 DF PROTO=TCP SPT=59258 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:31:42 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=603 DF PROTO=TCP SPT=59258 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:31:48 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=768 DF PROTO=TCP SPT=59258 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:33:20 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=5043 DF PROTO=TCP SPT=59315 DPT=47838 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:33:23 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=5053 DF PROTO=TCP SPT=59315 DPT=47838 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:33:29 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=5063 DF PROTO=TCP SPT=59315 DPT=47838 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:34:54 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=5730 DF PROTO=TCP SPT=59328 DPT=47838 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:34:57 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=5733 DF PROTO=TCP SPT=59328 DPT=47838 WINDOW=8192 RES=0x00 SYN URGP=0

Open in new window

0
Comment
Question by:Julian Matz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
6 Comments
 
LVL 8

Accepted Solution

by:
ragnarok89 earned 350 total points
ID: 35060792
If you install wireshark, you'll be able to trace the source. It's a great tool for exactly thins kind of thing.
0
 
LVL 6

Assisted Solution

by:t-max
t-max earned 150 total points
ID: 35063314
You connect to the ftp with an active or a passive connection?
Do you know if your firewall has a rule for established and related connections?
Do you get locked always at the same time of the day (around 19:30)? Did you check the cron of your system and users on the ubuntu machine?
Have you checked other logs on both machines to cross reference the data on that time frame (7th March ~19:30)?
Wireshark will give you more data if you know when and where to look for it, but generates tons of it, and it's not straightforward to understand it. I hope my questions will help you find the source of it.  
0
 
LVL 21

Author Comment

by:Julian Matz
ID: 35192432
Sorry for the delay in getting back to this.

I'm not sure if passive or active. This is what I've been using to FTP:
cd $path && /usr/bin/wget --ftp-user='$FTPuser' --ftp-password='$FTPpass' -r -S -N ftp://$FTPhost/$filename

Open in new window


I did try Wireshark, but the problem seems to have gone away after I increased the intervals at which my script did its FTP routines.
0
 
LVL 21

Author Comment

by:Julian Matz
ID: 35409345
I'm going to close this and award points since I'm sure Wireshark would have been the solution (or at least part of the solution) had my problem persisted.
0
 
LVL 21

Author Comment

by:Julian Matz
ID: 35409349
I'd like to close this and award points since I'm sure Wireshark would have been the solution (or at least part of the solution) had my problem persisted.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question