Linux Firewall Problem

Hi! I have a problem with the firewall on one of my servers. Actually, I don't think it's a problem with the firewall itself, but rather something on my local IP address causing the remote firewall to trigger a rule that results in my IP address getting blocked so that I no longer have access to my remote system. I hope this makes sense.

What I'm trying to figure out is what's causing the firewall to block me.

The log sample is attached.

I know these blocks are triggered by an Ubuntu machine I have running here locally. There's a cron job on it that fetches some files from the remote server via FTP every 15 minutes or so, but apart from that, I've no idea where the connects are coming from, especially from and to strange TCP ports like SPT=59239 DPT=50817

Hopefully someone can help me figure this out.
Time:    Mon Mar  7 19:35:00 2011 +0000
IP:      109.xxx.xxx.xxx (EU/-/-)
Hits:    11
Blocked: Temporary Block

Sample of block hits:
Mar  7 19:30:06 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=30225 DF PROTO=TCP SPT=59239 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:30:09 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=30238 DF PROTO=TCP SPT=59239 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:30:15 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=30433 DF PROTO=TCP SPT=59239 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:31:39 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=597 DF PROTO=TCP SPT=59258 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:31:42 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=603 DF PROTO=TCP SPT=59258 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:31:48 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=768 DF PROTO=TCP SPT=59258 DPT=50817 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:33:20 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=5043 DF PROTO=TCP SPT=59315 DPT=47838 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:33:23 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=5053 DF PROTO=TCP SPT=59315 DPT=47838 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:33:29 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=5063 DF PROTO=TCP SPT=59315 DPT=47838 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:34:54 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=5730 DF PROTO=TCP SPT=59328 DPT=47838 WINDOW=8192 RES=0x00 SYN URGP=0 
Mar  7 19:34:57 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=xxx SRC=109.xxx.xxx.xxx DST=174.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=5733 DF PROTO=TCP SPT=59328 DPT=47838 WINDOW=8192 RES=0x00 SYN URGP=0

Open in new window

LVL 21
Julian MatzJoint ChairpersonAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
ragnarok89Connect With a Mentor Commented:
If you install wireshark, you'll be able to trace the source. It's a great tool for exactly thins kind of thing.
0
 
t-maxConnect With a Mentor Commented:
You connect to the ftp with an active or a passive connection?
Do you know if your firewall has a rule for established and related connections?
Do you get locked always at the same time of the day (around 19:30)? Did you check the cron of your system and users on the ubuntu machine?
Have you checked other logs on both machines to cross reference the data on that time frame (7th March ~19:30)?
Wireshark will give you more data if you know when and where to look for it, but generates tons of it, and it's not straightforward to understand it. I hope my questions will help you find the source of it.  
0
 
Julian MatzJoint ChairpersonAuthor Commented:
Sorry for the delay in getting back to this.

I'm not sure if passive or active. This is what I've been using to FTP:
cd $path && /usr/bin/wget --ftp-user='$FTPuser' --ftp-password='$FTPpass' -r -S -N ftp://$FTPhost/$filename

Open in new window


I did try Wireshark, but the problem seems to have gone away after I increased the intervals at which my script did its FTP routines.
0
 
Julian MatzJoint ChairpersonAuthor Commented:
I'm going to close this and award points since I'm sure Wireshark would have been the solution (or at least part of the solution) had my problem persisted.
0
 
Julian MatzJoint ChairpersonAuthor Commented:
I'd like to close this and award points since I'm sure Wireshark would have been the solution (or at least part of the solution) had my problem persisted.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.