SCP + iptables (firewall) - stalled transfers

From: Bell, David I. (David_I_Bell_at_intuit.com)
Date: 04/21/05

  • Next message: Mark Senior: "ssh.com sshd 3.2.x, really enforcing sftp-only"
    To: "'secureshell@securityfocus.com'" <secureshell@securityfocus.com>
    Date: Thu, 21 Apr 2005 11:41:36 -0700
    
    

    Kind Readers,

    I have a Red Hat Linux system that I'm having a bit of trouble with.

    I'm running sshd version OpenSSH_3.6.1p2
    I'm running Fedora (version 2.6.9-1.6_FC2)

    The symptom is that ssh works fine for login, but I get stalling when I try
    to use scp. Some amount of data is transferred and then somewhere around
    150K to 20OK, the copy stalls. Small files copy fine (as long as there
    aren't too many of them in one command). I have read all about PMTU and
    TCPMSS. As nearly as I can tell, I've done everything I can do to open up
    and accept the right kind of traffic in the iptables firewall.

    The system I'm having trouble with is called "mvhs" (it has a fully
    qualified domain name, but that's not important for this discussion). The
    "mvhs" system sits on an Intranet behind a router. It has a public Internet
    address which is mapped to the private Intranet address in the router.

    Here's what I've tested to try to isolate the problem.

    1) I can scp successfully from my client to/from other machines (these other
    machines are on a different network and running a different version of
    Linux+iptables). Bottom line, it's not a problem with my client or the
    network my client is on.

    2) I've tried to use the "mvhs" system as the client to scp to/from other
    systems. Same stalling trouble (no surprise).

    3) If shut down the iptables firewall on the "mvhs" system, I can
    successfully scp without stalling. As soon as I reinstate the firewall, the
    stalling behavior returns. In other words, I'm reasonably well convinced
    that it's something in my iptables configuration.

    Before you tell me to post to an iptables list, let me point out that I'm
    not having trouble figuring out how to use iptables. I don't know what in
    the heck sshd is expecting that I haven't already opened up on the firewall.
    That's where I need some ssh advice.

    Notice that on line 2 of the RH-Firewall-1-INPUT chain, all icmp traffic is
    accepted.

    Here is the configuration of the firewall on the "mvhs" system:
    ----------------------------------------------------------------------------
    ---------------------------
    Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    num pkts bytes target prot opt in out source
    destination
    1 570K 63M RH-Firewall-1-INPUT all -- any any anywhere
    anywhere
    ----------------------------------------------------------------------------
    ---------------------------
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    num pkts bytes target prot opt in out source
    destination
    1 0 0 RH-Firewall-1-INPUT all -- any any anywhere
    anywhere
    ----------------------------------------------------------------------------
    ---------------------------
    Chain OUTPUT (policy ACCEPT 4929 packets, 591K bytes)
    num pkts bytes target prot opt in out source
    destination Extension Info
    ----------------------------------------------------------------------------
    ---------------------------
    Chain RH-Firewall-1-INPUT (2 references)
    num pkts bytes target prot opt in out source
    destination
    1 0 0 ACCEPT all -- lo any anywhere
    anywhere
    2 125 13885 ACCEPT icmp -- any any anywhere
    anywhere icmp any
    3 0 0 ACCEPT ipv6-crypt -- any any anywhere
    anywhere
    4 0 0 ACCEPT ipv6-auth -- any any anywhere
    anywhere
    5 4239 352K ACCEPT all -- any any anywhere
    anywhere state RELATED,ESTABLISHED
    6 4 192 ACCEPT tcp -- any any anywhere
    anywhere state NEW tcp dpt:https
    7 10 508 ACCEPT tcp -- any any anywhere
    anywhere state NEW tcp dpt:ssh
    8 1 60 ACCEPT tcp -- any any anywhere
    anywhere state NEW tcp dpt:smtp
    9 186 8928 ACCEPT tcp -- any any anywhere
    anywhere state NEW tcp dpt:http
    10 566K 62M REJECT all -- any any anywhere
    anywhere reject-with icmp-host-prohibited
    ----------------------------------------------------------------------------
    ---------------------------

    I've tried adding the following to no avail:
    iptables -I FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
    --clamp-mss-to-pmtu

    Thanks in advance for any insight you can offer.

    -- David
    =======================================
    David I. Bell | Intuit | Technical Education | direct 650-944-5082
    "Great people are the only sustainable competitive advantage - everything
    else can be copied"


  • Next message: Mark Senior: "ssh.com sshd 3.2.x, really enforcing sftp-only"

    Relevant Pages

    • Re: apt as a user
      ... Also, that was from our firewall box - obviously in order to do this, ... (which is fine - that rule should jump to a accept_log chain anyway). ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ... Trouble? ...
      (Debian-User)
    • Re: XP SP 2: Is it worth it? Absolutely. Problems are way over-hyped.
      ... firewall as they are at using E-Donkey and Kazaa Lite and its new ... MSFT has a ton of help on their site to orient you to SP2 or whatever ... of course people who don't hav any trouble don't post it... ... and that is when the Windows firewall is ...
      (microsoft.public.windowsxp.basics)
    • Re: Entropy sources under WinXP
      ... Ramsi will trouble the roots. ... The chain near the stale accommodation is the ...
      (sci.crypt)
    • Re: giFt not running???
      ... You may have all sorts of trouble. ... Microsoft has these suggestions for Protecting your computer from the ... Why you should use a computer firewall.. ... and some you can only download if you are registered - but it is best ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: blue screen error message
      ... the msconfig tool because it caused my computer to hang half way through load ... firewall and then install update and then reinstall antivirus and firewall, ... click Selective Startup and remove the check marks ... >>> Everytime since windows put this update in, I have trouble starting. ...
      (microsoft.public.windowsupdate)