possible problem with iptables/ip_conntrack in 2.6.9-22 kernel

Jared Marcum marcum at mers.byu.edu
Thu Mar 16 19:05:18 UTC 2006 

I'm new to rhn and RHEL, so I'm not sure if I should ask this question
on this list or submit a bug, or both.

I have a problem which appears to be related to iptables, more 
specifically, maybe ip_conntrack in the 2.6.9-22 kernel. I have *no* 
problems with RHEL3U7 and the 2.4.21-40 kernel.

Here's my setup:
RHEL4U2
kernel-2.6.9-22.EL
Contents of /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.2.119.0/24 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 21 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j
ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j LOG --log-level debug
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Problem description:
When I ftp data off of my server with the firewall on, it always hangs
at around 450K of data transferred. It works fine with the firewall off.
Like I mentioned before, I have no problems with the 2.4.21-40 kernel
with RHEL3. I tried updating the kernel to 2.6.9-34 and I see the same
behavior.
I turned on ethereal. The problem always happens when the client starts
sending duplicate ACKs and the server tries to retransmit the lost
packets. Another further client communication does not get accepted by
the firewall and is rejected with the "host administratively down"
message given by the firewall. /proc/net/ipv4/ip_conntrack still show
the connection as ESTABLISHED, but the firewall logging shows that the
same connection is being blocked.
I the same problems with http, https, and ssh. Again, it works
fine with the same setup on RHEL3 with the 2.4.21-40 kernel.

Any help/guidance would be greatly appreciated.

Thanks,

-- 
Jared Marcum
Brigham Young University
Microwave Earth Remote Sensing
Computer Systems Administrator
marcum at mers.byu.edu
801-422-1105

More information about the redhat-list mailing list