Hi all, I was curious as to whether anyone out there has seen this problem before. I have a CentOS machine running as a firewall with a bunch of IPtables rules. Often, as in almost always, after sending largish amounts of data (as small as listing a directory, sometimes), the ssh session just hangs. With iptables disabled, this doesn't happen. Example: Spew some data: while : ; do cat /var/log/messages.1;done Works fine with iptables disabled. If I enable IPtables, it dies after a few hundred lines. "dies" meaning that no keys work, and ~. doesn't do anything for some time. At some point, I can do a ~. and relogin. Other ssh sessions continue to work as normal. I'm coming in on eth1 from a computer on the local network. # Generated by iptables-save v1.3.5 on Tue Jul 24 17:46:18 2007 *nat :PREROUTING ACCEPT [30:4215] :POSTROUTING ACCEPT [1:72] :OUTPUT ACCEPT [3:232] -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth2 -j MASQUERADE COMMIT # Completed on Tue Jul 24 17:46:18 2007 # Generated by iptables-save v1.3.5 on Tue Jul 24 17:46:18 2007 *mangle :PREROUTING ACCEPT [313:27319] :INPUT ACCEPT [311:26987] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [191:67145] :POSTROUTING ACCEPT [191:67145] COMMIT # Completed on Tue Jul 24 17:46:18 2007 # Generated by iptables-save v1.3.5 on Tue Jul 24 17:46:18 2007 *filter :FORWARD ACCEPT [0:0] :ControlSrcDest - [0:0] :INPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j ControlSrcDest -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp -d 224.0.0.251 --dport 5353 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 10000 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 23 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 2000,1045,1044,6090,427 -A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 514 -j ACCEPT # Allow NFS on Fixed ports. -A RH-Firewall-1-INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 111,4000,2049,4001,4002,4003,673,677 -A RH-Firewall-1-INPUT -p udp -m udp -m multiport -j ACCEPT --dports 111,4000,2049,4001,4002,4003,673,677 -A RH-Firewall-1-INPUT -p udp -m udp ! --dport 137:138 -j LOG -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited -A ControlSrcDest -i lo -j ACCEPT # Allow To VPN -A ControlSrcDest -o eth1 -j ACCEPT # Allow if src is VPN -A ControlSrcDest -i eth1 -j ACCEPT -A ControlSrcDest -j LOG -A ControlSrcDest -j REJECT --reject-with icmp-net-unreachable COMMIT # Completed on Tue Jul 24 17:46:18 2007
