Kind Readers,
I have a Red Hat Linux system that I'm having a bit of trouble with.
I'm running sshd version OpenSSH_3.6.1p2
I'm running Fedora (version 2.6.9-1.6_FC2)
The symptom is that ssh works fine for login, but I get stalling when I try
to use scp. Some amount of data is transferred and then somewhere around
150K to 20OK, the copy stalls. Small files copy fine (as long as there
aren't too many of them in one command). I have read all about PMTU and
TCPMSS. As nearly as I can tell, I've done everything I can do to open up
and accept the right kind of traffic in the iptables firewall.
The system I'm having trouble with is called "mvhs" (it has a fully
qualified domain name, but that's not important for this discussion). The
"mvhs" system sits on an Intranet behind a router. It has a public Internet
address which is mapped to the private Intranet address in the router.
Here's what I've tested to try to isolate the problem.
1) I can scp successfully from my client to/from other machines (these other
machines are on a different network and running a different version of
Linux+iptables). Bottom line, it's not a problem with my client or the
network my client is on.
2) I've tried to use the "mvhs" system as the client to scp to/from other
systems. Same stalling trouble (no surprise).
3) If shut down the iptables firewall on the "mvhs" system, I can
successfully scp without stalling. As soon as I reinstate the firewall, the
stalling behavior returns. In other words, I'm reasonably well convinced
that it's something in my iptables configuration.
Before you tell me to post to an iptables list, let me point out that I'm
not having trouble figuring out how to use iptables. I don't know what in
the heck sshd is expecting that I haven't already opened up on the firewall.
That's where I need some ssh advice.
Notice that on line 2 of the RH-Firewall-1-INPUT chain, all icmp traffic is
accepted.
Here is the configuration of the firewall on the "mvhs" system:
----------------------------------------------------------------------------
---------------------------
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
1 570K 63M RH-Firewall-1-INPUT all -- any any anywhere
anywhere
----------------------------------------------------------------------------
---------------------------
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 RH-Firewall-1-INPUT all -- any any anywhere
anywhere
----------------------------------------------------------------------------
---------------------------
Chain OUTPUT (policy ACCEPT 4929 packets, 591K bytes)
num pkts bytes target prot opt in out source
destination Extension Info
----------------------------------------------------------------------------
---------------------------
Chain RH-Firewall-1-INPUT (2 references)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT all -- lo any anywhere
anywhere
2 125 13885 ACCEPT icmp -- any any anywhere
anywhere icmp any
3 0 0 ACCEPT ipv6-crypt -- any any anywhere
anywhere
4 0 0 ACCEPT ipv6-auth -- any any anywhere
anywhere
5 4239 352K ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
6 4 192 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:https
7 10 508 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:ssh
8 1 60 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:smtp
9 186 8928 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:http
10 566K 62M REJECT all -- any any anywhere
anywhere reject-with icmp-host-prohibited
----------------------------------------------------------------------------
---------------------------
I've tried adding the following to no avail:
iptables -I FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
Thanks in advance for any insight you can offer.
-- David
=======================================
David I. Bell | Intuit | Technical Education | direct 650-944-5082
"Great people are the only sustainable competitive advantage - everything
else can be copied"
