RE: intermittent and unreliable behaviour with iptables scripts

[Raymond Leach <raymondl@knowledgefactory.co.za>]

[-- Attachment #1: Type: text/plain, Size: 3017 bytes --]

On Wed, 2002-11-13 at 16:34, Doug Watson wrote:
> Thank you for your prompt response.
> 
> If there really is a bug in ip_conntrack
> that makes me unfortunately skiddish about 
> continuing on with netfilter/iptables as a 
> viable solution for my company. Yet it seems 
> like many people have implemented this and have
> not seen these types of problems.
> 
hmm... me neither

> I have run the script that you sent me several times.
> Attached is a sample output from it. I don't believe that
> I am seeing anything too strange, but I do have 1 question.
> in the following line which you will see in the attached file
> what does the (policy ACCEPT 4 packets, 284 bytes) mean?
> Chain OUTPUT (policy ACCEPT 4 packets, 284 bytes)
> 
It means that the default policy for the OUTPUT chain is to accept
packets and that there have been 4 packets totalling 284 bytes tested
against this chain.

> Is that the total number of packets to traverse the OUTPUT 
> chain or it he number of packets ACCEPTED by the policy for the 
> OUTPUT chain? Or something else?
> 
As above ...

> Thank you,
> Doug Watson
> 
> -----Original Message-----
> From: alex [mailto:alex@bennee.com]
> Sent: Monday, November 11, 2002 6:19 PM
> To: Doug Watson
> Cc: 'netfilter@lists.netfilter.org'
> Subject: Re: intermittent and unreliable behaviour with iptables
> scripts
> 
> 
> On Mon, 2002-11-11 at 17:25, Doug Watson wrote:
> >  However, I along with my test group of 5 "lucky" users began to see
> > some
> > intermittent and unreliable behavior when accessing the internet
> > through
> > this new firewall most notably when browsing the web. 
> > 
> > When browsing the web, web pages that normally would load very
> quickly
> > seem 
> > to hang for an inconsistent amount of time, anywhere between 1
> second
> > to 30 seconds or more
> > before they would even begin to load or would at times never load at
> > all as
> > if the connection to the web was lost.
> 
> This sound familiar to my own woes with port forwarded connections. I
> suspect a bug in ip_conntrack that somehow causes FORWARDED packets to
> end up in the output chains. I've been trying to find out exactly when
> this occurs and why (and certainly why my older script worked without
> problems).
> 
> You could try a using a variation of this script to monitor your
> connections "live" and see which rule starts dropping when you
> experience your problems. Try using it with something like watch:
> 
>     iptables -Z -t nat
>     iptables -Z
>     watch -n 5 -d ./dumpview
> 
> #!/bin/bash
> #
> # dumpview - try and see where the packets get dropped.
> #
> echo "DNAT Stuff"
> iptables -nvL -t nat
> echo "Dropped packets of normal chains"
> iptables -nvL | egrep "Chain|DROP"
> echo "Connections"
> cat /proc/net/ip_conntrack | wc -l
> echo "Web Connections"
> cat /proc/net/ip_conntrack | grep "port=80" 
> 
> -- 
> alex <alex@bennee.com>
> My own hacking haven
-- 

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]