Wow...this took a long time to get back out. Thanks to Jason Costomiris, I got the answer to the wget not working on the main box/firewall.
The module "ip_conntrack_ftp" wasn't loading. I'm still trying to figure out what's causing the systems behind the firewall to have such slow ftp connections (at least web based...). On Fri, 2 Nov 2001, Mike Burger wrote: > Actually, I have two issues. > > First is that while I have my IPTables rules running, wget is not able to > make ftp connections. However, using Netscape/Mozilla on the same system, > I seem to be getting the files with no problem, and they're coming down, > at the moment, in the 30-40KB/second rate. > > The other is that systems behind my firewall can't seem to download files > very quickly...like 2-3KB per second. > > The external interface is connected, via router, to a very lightly used > T1. > > I'd love to know what I might need to do to get this cleared up. > > Following is my /etc/sysconfig/iptables. Specific IPs edited to protect > the innocent: > > *filter > :INPUT DROP [0:0] > :FORWARD DROP [0:0] > :OUTPUT ACCEPT [57:4777] > :badflags - [0:0] > :dropwall - [0:0] > :firewall - [0:0] > :silent - [0:0] > [11:1118] -A INPUT -i lo -j ACCEPT > [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j >badflags > [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG >FIN,SYN,RST,PSH,ACK,URG -j badflags > [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG >-j badflags > [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j badflags > [0:0] -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j badflags > [0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j badflags > [0:0] -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT > [0:0] -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT > [0:0] -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT > [0:0] -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT > [0:0] -A INPUT -p icmp -j firewall > [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 20 -j ACCEPT > [0:0] -A INPUT -i eth0 -p udp -m udp --dport 20 -j ACCEPT > [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT > [0:0] -A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT > [0:0] -A INPUT -s xxx.xxx.xxx.xxx -p tcp -m tcp --dport 21 -j ACCEPT > [0:0] -A INPUT -s xxx.xxx.xxx.xxx -p udp -m udp --dport 21 -j ACCEPT > [0:0] -A INPUT -s xxx.xxx.xxx.xxx -p tcp -m tcp --dport 21 -j ACCEPT > [0:0] -A INPUT -s xxx.xxx.xxx.xxx -p udp -m udp --dport 21 -j ACCEPT > [0:0] -A INPUT -s xxx.xxx.xxx.xxx -p tcp -m tcp --dport 21 -j ACCEPT > [0:0] -A INPUT -s xxx.xxx.xxx.xxx -p udp -m udp --dport 21 -j ACCEPT > [0:0] -A INPUT -s xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy -p tcp -m tcp --dport 21 -j ACCEPT > [0:0] -A INPUT -s xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy -p udp -m udp --dport 21 -j ACCEPT > [7:508] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT > [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 23 -j ACCEPT > [6:395] -A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT > [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT > [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT > [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT > [0:0] -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT > [0:0] -A INPUT -i eth1 -p udp -m udp --dport 67 -j ACCEPT > [0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 67 -j ACCEPT > [0:0] -A INPUT -i eth1 -p udp -m udp --dport 68 -j ACCEPT > [0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 68 -j ACCEPT > [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 113 -j ACCEPT > [0:0] -A INPUT -i eth0 -p udp -m udp --dport 113 -j ACCEPT > [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 504 -j ACCEPT > [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 2000 -j ACCEPT > [0:0] -A INPUT -s xxx.xxx.xxx.xxx -i eth0 -p tcp -m tcp --dport 10000 -j ACCEPT > [0:0] -A INPUT -s xxx.xxx.xxx.xxx -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT > [3:724] -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT > [28:10629] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > [0:0] -A INPUT -p udp -m udp --sport 137 --dport 137 -j silent > [3:687] -A INPUT -j dropwall > [0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > [0:0] -A FORWARD -s 192.168.0.0/255.255.255.0 -m state --state NEW -j ACCEPT > [0:0] -A badflags -m limit --limit 15/min -j LOG --log-prefix ""Badflags:"" > [0:0] -A badflags -j DROP > [3:687] -A dropwall -m limit --limit 15/min -j LOG --log-prefix ""Dropwall:"" > [3:687] -A dropwall -j DROP > [0:0] -A firewall -m limit --limit 15/min -j LOG --log-prefix ""Firewall:"" > [0:0] -A firewall -j DROP > [0:0] -A silent -j DROP > COMMIT > # Completed on Wed Oct 24 22:36:20 2001 > # Generated by iptables-save v1.2.1a on Wed Oct 24 22:36:20 2001 > *mangle > :PREROUTING ACCEPT [142:21681] > :OUTPUT ACCEPT [118:10930] > COMMIT > # Completed on Wed Oct 24 22:36:20 2001 > # Generated by iptables-save v1.2.1a on Wed Oct 24 22:36:20 2001 > *nat > :PREROUTING ACCEPT [9:1796] > :POSTROUTING ACCEPT [1:96] > :OUTPUT ACCEPT [5:392] > [5:392] -A POSTROUTING -o eth0 -j MASQUERADE > COMMIT > # Completed on Wed Oct 24 22:36:20 2001 > > > > > _______________________________________________ > Seawolf-list mailing list > [EMAIL PROTECTED] > https://listman.redhat.com/mailman/listinfo/seawolf-list > _______________________________________________ Seawolf-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/seawolf-list
