IPTables and emerge --sync

JasonRDavis · n00b Joined: 12 Dec 2005 Posts: 6

I'm having a problem rsyncing:

firewall ~ # emerge --sync
>>> starting rsync with rsync://140.211.166.165/gentoo-portage...
>>> checking server timestamp ...
rsync: failed to connect to 140.211.166.165: Connection timed out
rsync error: error in socket IO (code 10) at clientserver.c(8

>>> retry ...

>>> Starting retry 1 of 3 with rsync://38.99.64.200/gentoo-portage
>>> checking server timestamp ...
rsync error: received SIGUSR1 or SIGINT (code 20) at rsync.c(249)

Exiting on signal 2 <--- CTRL+C
firewall ~#

I've tried opening up the OUTPUT/INPUT ports for rsync (873), but no cigar. The box is running a relatively tight configuration of IPTables, and handles alot of forwarding (nothing out of the ordinary).

With IPTables disabled, emerge --sync works perfectly, so the problem is definitely IPTables related.

I've tried:

iptables -A OUTPUT -s 0/0 -p tcp --dport 873 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 873 -j ACCEPT
iptables -A OUTPUT -s xxx.213.18.125 -p tcp --dport 873 -j ACCEPT <--- xxx.213.18.125 = My outside IP address

I've tried similar sytax for the INPUTchain, both tcp and udp, as well. I've also tried a ton more different variations, but nothing seems to let it go through. I'm a seasoned IPTables user, and I have configured a bunch of systems with it. So I'm in the dark, as it should work but it doesn't. I don't fully understand the inner workings of rsync, so that's probably why I can't unblock everything that's necessary for it to sync. I know it's probably something very simple, just I can't see it.

Any help would be greatly appreciated!

pjp · Administrator Joined: 16 Apr 2002 Posts: 20589

Most likely you'll need to add a line including "-m state --state ESTABLISHED,RELATED -j ACCEPT"
_________________
Quis separabit? Quo animo?

BradN · Posted: Mon Dec 12, 2005 8:05 pm Post subject:

Maybe a stupid question, but are you able to make outgoing http connections (or anything else that you'd have to manually unblock?)

Also, I'm not sure if it's a typo or what, but you didn't specify a table with -t to add the rules to.

pjp · Administrator Joined: 16 Apr 2002 Posts: 20589

JasonRDavis · n00b Joined: 12 Dec 2005 Posts: 6

Well, I've got that in my FORWARD chain:

ACCEPT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED

But I've never needed it in the OUTPUT/INPUT chains. Should I just put it in the OUTPUT / INPUT chain? or both. I would assume only in the output chain would suffice.

Also, I unblocked DNS a while ago, and it works wonderfully. But, for the sake of testing, I unblocked http(80), and it works good (tested with wget). It's a firewall though, so I won't be surfing the web on it anytime soon.

JasonRDavis · n00b Joined: 12 Dec 2005 Posts: 6

This fixed it,

iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 873 -j ACCEPT

iptables -I OUTPUT m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 873 -j ACCEPT

I'll sort out what is necessay later, I'm sure all four commands aren't needed but for the sake of troubleshooting I put it in both chains.

Thanks for the help! This can be marked as solved!

splooge · l33t Joined: 30 Aug 2002 Posts: 636