| View previous topic :: View next topic |
| Author |
Message |
029ah
n00b
Joined: 14 Sep 2003
Posts: 15
Location: Moscow
|
 Posted: Mon Jan 19, 2004 11:20 pm Post subject: Too big delay before tcp connection |
 |
|
When I'm trying to connect using ftp/ssh/ircd, client waits too long before getting connected.
tcpdump:
| Code: | 02:18:01.929881 192.168.1.15.1287 > main-server.ftp: S [tcp sum ok] 549037820:549037820(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (ttl 128, id 4875, len 48)
02:18:01.929990 main-server.ftp > 192.168.1.15.1287: S [tcp sum ok] 2253108297:2253108297(0) ack 549037821 win 5840 <mss 1460,nop,nop,sackOK> (DF) (ttl 64, id 0, len 48)
02:18:01.930216 192.168.1.15.1287 > main-server.ftp: . [tcp sum ok] ack 1 win 17520 (DF) (ttl 128, id 4876, len 40)
02:18:11.942792 main-server.1037 > 192.168.1.15.auth: S [tcp sum ok] 2271566550:2271566550(0) win 5840 <mss 1460,sackOK,timestamp 18967981 0,nop,wscale 0> (DF) (ttl 64, id 14203, len 60)
02:18:11.943075 192.168.1.15.auth > main-server.1037: R [tcp sum ok] 0:0(0) ack 2271566551 win 0 (ttl 128, id 4877, len 40)
02:18:11.946551 main-server.ftp > 192.168.1.15.1287: P [tcp sum ok] 1:21(20) ack 1 win 5840 (DF) (ttl 64, id 56713, len 60)
02:18:12.114048 192.168.1.15.1287 > main-server.ftp: . [tcp sum ok] ack 21 win 17500 (DF) (ttl 128, id 4878, len 40)
02:18:15.435773 192.168.1.15.1287 > main-server.ftp: R [tcp sum ok] 549037821:549037821(0) win 0 (DF) (ttl 128, id 4879, len 40) |
where is the problem?
thanks! |
|
| Back to top |
|
 |
nharring
n00b
Joined: 16 Aug 2003
Posts: 19
Location: Chicago, IL, US
|
| Posted: Tue Jan 20, 2004 1:05 am Post subject: First guess |
|
|
Its hard to tell from your tcpdump, particularly since it doesn't show what options it was run with, but I'd guess the services you're attempting to connect to are trying to run ident on you and failing.
Can you give some more details about your setup, i.e. are you running iptables/chains on the client, blocking ports, do you have identd running, how long is the delay, if you have iptables or ipchains running are they rejecting or dropping?
If dropping, does the problem go away when you switch to rejecting? |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Tue Jan 20, 2004 6:34 pm Post subject: |
|
|
reverse lookup is ok?
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
029ah
n00b
Joined: 14 Sep 2003
Posts: 15
Location: Moscow
|
| Posted: Tue Jan 20, 2004 11:07 pm Post subject: |
|
|
client is a windows/linux machine, does no matter. They works fine with other machines.
no ipchains/iptables on server machine. Kernel is 2.6.0. Some services on server works fine [samba 3].
tcpdump command is:
# tcpdump -i eth1
Problem is here, I don't know how to turn off auth reuest:
02:18:11.942792 main-server.1037 > 192.168.1.15.auth: S |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Tue Jan 20, 2004 11:13 pm Post subject: |
|
|
The server tries to to an ident query.
Either setup your local firewall (if any) to reject ident rather than drop them OR install an ident server on your local box OR reconfigure your server to NOT ident you.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
voidx
n00b
Joined: 20 Mar 2003
Posts: 40
Location: Czech Republic
|
| Posted: Wed Jan 21, 2004 4:49 pm Post subject: |
|
|
Hi!
just line from my iptables script if you'll use it:
| Code: |
$IPTABLES -A INPUT -i eth0 -p tcp --dport 113 -j REJECT
|
eth0 is my inet interface. As already said, there must be REJECT instead of DROP, otherwise server will wait for response...
_________________
[brkerez] |
|
| Back to top |
|
|
guitard00d
Tux's lil' helper
Joined: 19 Dec 2003
Posts: 81
Location: Minatare, NE, USA, Earth
|
| Posted: Thu Jan 22, 2004 10:52 pm Post subject: |
|
|
[quote="voidx"]
| Code: |
$IPTABLES -A INPUT -i eth0 -p tcp --dport 113 -j REJECT
|
I've found that this actually performs much better...
| Code: |
$IPTABLES -A INPUT -p tcp -i $EXTIF --dport 113 -j REJECT --reject-with tcp-reset
|
_________________
I know you believe you understand what you think I said, but I'm not sure you realize that what you heard is not what I meant...
--Richard Nixon |
|
| Back to top |
|
|
029ah
n00b
Joined: 14 Sep 2003
Posts: 15
Location: Moscow
|
| Posted: Thu Feb 05, 2004 9:56 pm Post subject: |
|
|
Solved. The problem was in my local DNS-server at tinydns.
i've added A-type reecord
IP.IP.IP.XX A hostXX
and now it works fine
tinydns waits a long time when he didn't know anything about request |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
