Very Computer

Hi there,
        I am having some real problems with a new IPS.

I manage to get connected OK each time I try and the connection works
like a rocket for about 2 minutes (sometimes longer, sometimes
shorter) and then just stops.

It doesn't close entirely though.  I can still ping, and traceroute
(most of the time).  I can make connections to web pages (althought
they never load), I can get empty header lists from news groups but
(but now when there are any to down load).

I also see the following in messages and am not sure if there is a
relationship.

Any ideas anyone??

Ta

Peter

BTW, this is RH6.2, and I have used the same chains file for another
ISP with no problems.

Aug 28 08:29:30 slowey kernel: Packet log: output REJECT ppp0 PROTO=6
203.134.28.129:61008 203.134.64.67:119 L=48 S=0x00 I=9285 F=
0x4000 T=127 SYN (#35)
Aug 28 08:29:36 slowey kernel: Packet log: output REJECT ppp0 PROTO=6
203.134.28.129:61008 203.134.64.67:119 L=48 S=0x00 I=9302 F=
0x4000 T=127 SYN (#35)
Aug 28 08:30:03 slowey kernel: Packet log: output REJECT ppp0 PROTO=6
203.134.28.129:61013 203.134.65.91:110 L=48 S=0x00 I=9331 F=
0x4000 T=127 SYN (#35)
Aug 28 08:30:06 slowey kernel: Packet log: output REJECT ppp0 PROTO=6
203.134.28.129:61013 203.134.65.91:110 L=48 S=0x00 I=9332 F=
0x4000 T=127 SYN (#35)

Peter Nunn
DownUnder

Well, let's see. I use this site to help me decypher these things:
http://www.robertgraham.com/pubs/firewall-seen.html

And from /etc/protocols we find that PROTO=6 is TCP. So...

Quote:>Aug 28 08:29:30 slowey kernel: Packet log: output REJECT ppp0 PROTO=6
>203.134.28.129:61008 203.134.64.67:119 L=48 S=0x00 I=9285 F=
>0x4000 T=127 SYN (#35)

Here your OUTPUT chain is blocking a packet that you are trying to send
to port 119 at:

Name:    news.iprimus.com.au
Address:  203.134.64.67

Port 119 is Network News Transfer Protocol, carries USENET traffic.

You mentioned that this ipchains script has worked with another ISP. It
may be that your script was hard coded to allow your newsreader to ONLY
connect to your previous news provider. Therefore, when you try to
connect to your new provider (above), ipchains is blocking it.

I resolved that problem in my own ipchains script by allowing
*outgoing* connections to *any* news server:

# NNTP NEWS client (119)
# ----------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
         -s $IPADDR $UNPRIVPORTS \
         -d $NEWS_SERVER 119 -j ACCEPT

ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
         -s $NEWS_SERVER 119 \
         -d $IPADDR $UNPRIVPORTS -j ACCEPT

Quote:>Aug 28 08:30:03 slowey kernel: Packet log: output REJECT ppp0 PROTO=6
>203.134.28.129:61013 203.134.65.91:110 L=48 S=0x00 I=9331 F=
>0x4000 T=127 SYN (#35)

Here your OUTPUT chain is blocking a packet that you are trying to send
to port 110 at:

Name:    smtpgate2.syd.iprimus.com.au
Address:  203.134.65.91

Port 110 is POP3.

Once again, your script is probably hard coded to allow outgoing pop3
connections *only* to your previous provider.

Since the pop3 connection must initiated from inside, I solved this
problem like the first:

# POP client (110)
# ----------------

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
         -s $IPADDR $UNPRIVPORTS \
         --destination-port 110 -j ACCEPT

ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
         --source-port 110 \
         -d $IPADDR $UNPRIVPORTS -j ACCEPT

I hope you find this helpful.

--
Thought for the day:
<http://mysite.directlink.net/matthews/smiles/started.htm>

Peter --

It sounds that way... it looks like those SYN's from high source ports
(61,000+) are rejected packets from your masqueraded connections.

Remember, IPchains is not stateful... you have to allow these packets.
What does your ipchains rulebase look like?

Cheers,
John

Your masquraded box is trying to make a connection to your isp's news
and smtp daemons but the packets get blocked on their way out.

--
Jeroen.