From mboxrd@z Thu Jan 1 00:00:00 1970 From: "eNet" Subject: iptables delay connection phase Date: Mon, 30 Jun 2003 09:14:14 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <002d01c33ed7$360fc600$8101a8c0@tani> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_002A_01C33EE7.F98DE7A0" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------=_NextPart_000_002A_01C33EE7.F98DE7A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello List, I am new in iptables and list. I have problem when my dialup clients trying to check their emails. = There is a delay because of iptables. On that box I use linux kernel = 2.4.19 and rc.firewall=20 Here are more details of what is happening: Case 1. without iptables . It is OK. No delay. 19:45:51.756818 arp who-has xxx.xxx.xxx.1 tell xxx.xxx.xxx.129 19:45:51.756837 arp reply xxx.xxx.xxx.1 is-at yy:yy:yy:yy:yy 19:45:51.756920 xxx.xxx.xxx.129.2814 > NS1.enet.org.al.pop3: S = 1490445489:1490445489(0) win 16384 (DF) 19:45:51.756988 NS1.enet.org.al.pop3 > xxx.xxx.xxx.129.2814: S = 401842756:401842756(0) ack 1490445490 win 5840 = (DF) 19:45:51.757102 xxx.xxx.xxx.129.2814 > NS1.enet.org.al.pop3: . ack 1 win = 17520 (DF) 19:45:51.761677 xxx.xxx.xxx.1.48021 > xxx.xxx.xxx.129.auth: S = 387191140:387191140(0) win 5840 (DF) 19:45:51.761856 xxx.xxx.xxx.129.auth > = xxx.xxx.xxx.1.48021: R 0:0(0) ack 387191141 win 0 =20 etc... Case 2. iptables activated. Problem: delay 20:00:43.670848 xxx.xxx.xxx.129.2824 > NS1.enet.org.al.pop3: S = 1713847144:1713847144(0) win 16384 (DF) 20:00:43.670903 NS1.enet.org.al.pop3 > xxx.xxx.xxx.129.2824: S = 1342878817:1342878817(0) ack 1713847145 win 5840 =20 (DF) 20:00:43.671015 xxx.xxx.xxx.129.2824 > NS1.enet.org.al.pop3: . ack 1 win = 17520 (DF) 20:00:43.672185 xxx.xxx.xxx.1.48326 > xxx.xxx.xxx.129.auth: S = 1340299399:1340299399(0) win 5840 (DF) now it goes around (!!!!!??) =20 20:00:43.672291 xxx.xxx.xxx.129.auth > xxx.xxx.xxx.1.48326: R 0:0(0) ack = 1340299400 win 0 20:00:46.666594 xxx.xxx.xxx.1.48326 > xxx.xxx.xxx.129.auth: S = 1340299399:1340299399(0) win 5840 (DF) 20:00:46.666744 192.168.1.129.auth > xxx.xxx.xxx.1.48326: R 0:0(0) ack 1 = win=20 0 20:00:52.666607 192.168.1.1.48326 > xxx.xxx.xxx.129.auth: S=20 1340299399:1340299399(0) win 5840 (DF) 20:00:52.666754 xxx.xxx.xxx.129.auth > xxx.xxx.xxx.1.48326: R 0:0(0) ack = 1 win=20 0 untill here: 20:01:04.666637 xxx.xxx.xxx.1.48326 > xxx.xxx.xxx.129.auth: S = 1340299399:1340299399(0) win 5840 (DF) etc....=20 Any help appreciated. Tani ------=_NextPart_000_002A_01C33EE7.F98DE7A0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hello List,
 
I am new in iptables and = list.
 
I have problem when my dialup clients = trying to=20 check their emails. There is a delay because of iptables. On that box I = use=20 linux kernel 2.4.19 and rc.firewall
 
Here are more details of what is=20 happening:
 

Case  1. without iptables . It = is OK. No=20 delay.

19:45:51.756818 arp who-has = xxx.xxx.xxx.1 tell=20 xxx.xxx.xxx.129
19:45:51.756837 arp reply xxx.xxx.xxx.1 is-at=20 yy:yy:yy:yy:yy
19:45:51.756920 xxx.xxx.xxx.129.2814 >=20 NS1.enet.org.al.pop3: S 1490445489:1490445489(0) win 16384 = <mss=20 1460,nop,nop,sackOK> (DF)
19:45:51.756988 = NS1.enet.org.al.pop3=20 > xxx.xxx.xxx.129.2814: S 401842756:401842756(0) ack = 1490445490 win=20 5840 <mss 1460,nop,nop,sackOK>
(DF)
19:45:51.757102=20 xxx.xxx.xxx.129.2814 > NS1.enet.org.al.pop3: . ack 1 = win=20 17520 (DF)
19:45:51.761677 xxx.xxx.xxx.1.48021 >=20 xxx.xxx.xxx.129.auth: S 387191140:387191140(0) win 5840 <mss = 1460,sackOK,timestamp 251690774
0,nop,wscale 0> (DF) = 19:45:51.761856=20 xxx.xxx.xxx.129.auth > xxx.xxx.xxx.1.48021: R 0:0(0) = ack=20 387191141 win 0
 
etc...

Case 2. iptables = activated. Problem:=20 delay

20:00:43.670848 = xxx.xxx.xxx.129.2824=20 > NS1.enet.org.al.pop3: S 1713847144:1713847144(0) win 16384 = <mss=20 1460,nop,nop,sackOK> (DF)
20:00:43.670903 = NS1.enet.org.al.pop3=20 > xxx.xxx.xxx.129.2824: S 1342878817:1342878817(0) ack = 1713847145=20 win 5840 <mss 1460,nop,nop,sackOK>
(DF)
20:00:43.671015=20 xxx.xxx.xxx.129.2824 > NS1.enet.org.al.pop3: . ack 1 = win=20 17520 (DF)
20:00:43.672185 xxx.xxx.xxx.1.48326 >=20 xxx.xxx.xxx.129.auth: S 1340299399:1340299399(0) win 5840 = <mss=20 1460,sackOK,timestamp 251779965
0,nop,wscale 0> = (DF)
 
now it goes around (!!!!!??)
 
20:00:43.672291 xxx.xxx.xxx.129.auth = >=20 xxx.xxx.xxx.1.48326: R 0:0(0) ack 1340299400 win 0
20:00:46.666594=20 xxx.xxx.xxx.1.48326 > xxx.xxx.xxx.129.auth: S = 1340299399:1340299399(0) win=20 5840 <mss 1460,sackOK,timestamp 251780265
0,nop,wscale 0>=20 (DF)
20:00:46.666744 192.168.1.129.auth > xxx.xxx.xxx.1.48326: R = 0:0(0)=20 ack 1 win
0
20:00:52.666607 192.168.1.1.48326 > = xxx.xxx.xxx.129.auth:=20 S
1340299399:1340299399(0) win 5840 <mss 1460,sackOK,timestamp = 251780865=20
0,nop,wscale 0> (DF)
20:00:52.666754 xxx.xxx.xxx.129.auth > = xxx.xxx.xxx.1.48326: R 0:0(0) ack 1 win
0
untill here:
 
20:01:04.666637 = xxx.xxx.xxx.1.48326 >=20 xxx.xxx.xxx.129.auth: S 1340299399:1340299399(0) win 5840 = <mss=20 1460,sackOK,timestamp 251782065
0,nop,wscale 0> = (DF)
etc....
 
Any help appreciated.
 
Tani
 
 
------=_NextPart_000_002A_01C33EE7.F98DE7A0--