Skip to content

Fusion Network

SSH Problems + CentOS

From FusionNetwork

 

Problems with SSH dieing with large SCP opperations?
Your server not displaying full webpages/information to some remote clients but not all? Chances are that its a firewall problem. Hit Read more for the full explanation and the fix.


This is a problem I ran into a while back. Some of our clients couldn't view all of the web page for a few of our applications. It wasn't because they had a slow connection to the server (ping under 100). It also wasn't the applications fault. It turned out to be a new default setting with the CentOS 5 firewall.

Basically what would happen is that either very large SCP transfers would die on us, or some of our clients couldn't fully load a page properly. We found that this was because of a old/poorly configured router somewhere on the internet which was dropping our packets.

The fix is to remove this line from your /etc/sysconfig/iptables file.

-A INPUT -j REJECT --reject-with icmp-host-prohibited

Replace it with this:
{geshibot}# Fix the firewall -A FORWARD -p icmp --icmp-type fragmentation-needed -j ACCEPT -A FORWARD -p icmp -j DROP -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT -A INPUT -p icmp -j DROP #Below is part of firewall fix #-A INPUT -j REJECT --reject-with icmp-host-prohibited{/geshibot}
Why this happens:
The line you just replaced blocks ALL ICMP packets. Now, this is alright if you don't want to allow ping or a few other things. However, it also blocks some very important stuff that has to do with "DF" or DontFragment packets.
If you have this set and your path to a client/person runs threw a router somewhere on the net with an MTU of under 1500 it will send a message back saying it cant fragment and cant pass the packet. Your server will ignore it because of the ICMP block and packets die out in the cloud.
By making the above suggested fix you can still block most of the ICMP requests to your server without killing large SCP transfers or having web pages not fully load.

Hope it helps!
-Sky