ftp connections take very long

[Jean-Pierre Schwickerath]

Hello, 

I'm using iptables 1.2.5 compiled on a 2.4.17 kernel. I activated everything in
the netfilter part. No modules, all direct into the kernel. 

I'm doing masquerading on a LAN over a DSL-Line. 

eth1 is lan, ppp0 is DSL connection to the net

basic rules are
DROP all
masquerade
and

$IPTABLES -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i eth1 -s $LAN_NET -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -i ppp0 -s ! $LAN_NET -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED -i eth1 -s $LAN_NET -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -i ppp0 -s ! $LAN_NET -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -o eth1 -s $LAN_NET -d $LAN_NET -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -o ppp0 -d ! $LAN_NET -j ACCEPT


now it's that when I initate an ftp connection on a client on the lan, I see:
Connected to ftp.xxx.xxx
and then it takes 5-10 seconds before I see
220 FTP Server ready.
Name (ftp.xxx.xxx):

And at the same time I saw on the firewall some dropped packets in the INPUT
queue. I started logging and saw, that the ftp server sends packet to port 113
which are dropped.
I added a rule 
$IPTABLES -A INPUT -p tcp -i ppp0 -d ! $LAN_NET --dport 113 -j ACCEPT

and oh wonder ftp is now working without lagging before the authentification. 

My question is, why does the connection tracking not see the answer to port 113
as related to the ftp connection which has just been opened?
And why it is in the INPUT queue and not the FORWARD queue?

Thanks,

Jean-Pierre

-- 
Jean-Pierre Schwickerath - Powered by LinuxFromScratch
E-Mail: email@schwicky.net - http://schwicky.net
PGP Key ID: 0xEE6F49B4 - AIM/Jabber: Schwicky - ICQ: 4690141

Nothing's impossible... Everything is relative!