We just set up netfilter on a RedHat Linux 7.2 firewall with kernel kernel and iptables 1.2.4-2.
We have noticed that ftp traffic is considerably slower now than with our trusty never patched RedHat Linux 6.1 box running ipchains. A tcpdump session showing the traffic between a internal LAN IP and the DMZ server running wu-ftpd-2.6.1-20 is reproduced below: root@ftpserver ~ # tcpdump -v -v -v "src or dst 192.168.0.67" tcpdump: listening on eth0 20:20:21.222926 192.168.0.67.2295 > 66.66.66.66.ftp: S [tcp sum ok] 4074769634:4074769634(0) win 16384 <mss 1460> (DF) (ttl 63, id 12600, len 44) 20:20:21.223382 66.66.66.66.ftp > 192.168.0.67.2295: S [tcp sum ok] 379546187:379546187(0) ack 4074769635 win 5840 <mss 1460> (DF) (ttl 64, id 0, len 44) 20:20:21.223948 66.66.66.66.ftp > 192.168.0.67.2295: S [tcp sum ok] 379546187:379546187(0) ack 4074769635 win 5840 <mss 1460> (DF) (ttl 64, id 0, len 44) 20:20:21.223953 192.168.0.67.2295 > 66.66.66.66.ftp: . [tcp sum ok] 1:1(0) ack 1 win 17520 (DF) (ttl 63, id 12601, len 40) 20:20:21.232701 66.66.66.66.2798 > 192.168.0.67.auth: S [tcp sum ok] 378253440:378253440(0) win 5840 <mss 1460,sackOK,timestamp 2359787 0,nop,wscale 0> (DF) (ttl 64, id 45419, len 60) 20:20:21.233260 66.66.66.66.2798 > 192.168.0.67.auth: S [tcp sum ok] 378253440:378253440(0) win 5840 <mss 1460,sackOK,timestamp 2359787 0,nop,wscale 0> (DF) (ttl 64, id 45419, len 60) 20:20:24.229434 66.66.66.66.2798 > 192.168.0.67.auth: S [tcp sum ok] 378253440:378253440(0) win 5840 <mss 1460,sackOK,timestamp 2360087 0,nop,wscale 0> (DF) (ttl 64, id 45420, len 60) 20:20:24.229980 66.66.66.66.2798 > 192.168.0.67.auth: S [tcp sum ok] 378253440:378253440(0) win 5840 <mss 1460,sackOK,timestamp 2360087 0,nop,wscale 0> (DF) (ttl 64, id 45420, len 60) 20:20:34.531975 66.66.66.66.ftp > 192.168.0.67.2295: P 1:65(64) ack 1 win 5840 (DF) (ttl 64, id 27558, len 104) We managed to speed the connection to around 20 seconds by adding to our FORWARD chain in netfilter the following rules: /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp echo "1" > /proc/sys/net/ipv4/ip_forward $IPTABLES -A FORWARD -p tcp -i $DMZ_IFACE --dport 113 -j REJECT $IPTABLES -A FORWARD -p udp -i $DMZ_IFACE --dport 113 -j REJECT $IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state \ --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -m state \ --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT $IPTABLES -A FORWARD -p tcp -i $INET_IFACE -o $DMZ_IFACE \ -d $OTILIO --dport 20 -j allowed $IPTABLES -A FORWARD -p udp -i $INET_IFACE -o $DMZ_IFACE \ -d $OTILIO --dport 20 -j ACCEPT $IPTABLES -A FORWARD -p tcp -i $INET_IFACE -o $DMZ_IFACE \ -d $OTILIO --dport 21 -j allowed $IPTABLES -A FORWARD -p udp -i $INET_IFACE -o $DMZ_IFACE \ -d $OTILIO --dport 21 -j ACCEPT after looking in /etc/services and discovering that the auth protocol is udp port 113 and tcp port 113 . Only the rules that are relevant have been reproduced Rejecting the packets instead of the default drop helped. We have set in our /etc/ftpaccess the following line timeout RFC931 0 which is supposed to explicitly deny the use of the auth protocol by the ftp daemon. As can be seen from the tcpdump the ftp server stays 13 seconds waiting for replies to the auth requests it made and which never arrive. Andres Adrover
