iptables delay connection phase

iptables delay connection phase

[eNet]

[-- Attachment #1: Type: text/plain, Size: 2452 bytes --]

Hello List,

I am new in iptables and list.

I have problem when my dialup clients trying to check their emails. There is a delay because of iptables. On that box I use linux kernel 2.4.19 and rc.firewall 

Here are more details of what is happening:


Case  1. without iptables . It is OK. No delay.

19:45:51.756818 arp who-has xxx.xxx.xxx.1 tell xxx.xxx.xxx.129
19:45:51.756837 arp reply xxx.xxx.xxx.1 is-at yy:yy:yy:yy:yy
19:45:51.756920 xxx.xxx.xxx.129.2814 > NS1.enet.org.al.pop3: S 1490445489:1490445489(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
19:45:51.756988 NS1.enet.org.al.pop3 > xxx.xxx.xxx.129.2814: S 401842756:401842756(0) ack 1490445490 win 5840 <mss 1460,nop,nop,sackOK> 
(DF)
19:45:51.757102 xxx.xxx.xxx.129.2814 > NS1.enet.org.al.pop3: . ack 1 win 17520 (DF)
19:45:51.761677 xxx.xxx.xxx.1.48021 > xxx.xxx.xxx.129.auth: S 387191140:387191140(0) win 5840 <mss 1460,sackOK,timestamp 251690774 
0,nop,wscale 0> (DF) 19:45:51.761856 xxx.xxx.xxx.129.auth > xxx.xxx.xxx.1.48021: R 0:0(0) ack 387191141 win 0
 
etc...

Case 2.  iptables activated. Problem: delay

20:00:43.670848 xxx.xxx.xxx.129.2824 > NS1.enet.org.al.pop3: S 1713847144:1713847144(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
20:00:43.670903 NS1.enet.org.al.pop3 > xxx.xxx.xxx.129.2824: S 1342878817:1342878817(0) ack 1713847145 win 5840 <mss 1460,nop,nop,sackOK> 
(DF)
20:00:43.671015 xxx.xxx.xxx.129.2824 > NS1.enet.org.al.pop3: . ack 1 win 17520 (DF)
20:00:43.672185 xxx.xxx.xxx.1.48326 > xxx.xxx.xxx.129.auth: S 1340299399:1340299399(0) win 5840 <mss 1460,sackOK,timestamp 251779965 
0,nop,wscale 0> (DF)


now it goes around (!!!!!??)
 
20:00:43.672291 xxx.xxx.xxx.129.auth > xxx.xxx.xxx.1.48326: R 0:0(0) ack 1340299400 win 0
20:00:46.666594 xxx.xxx.xxx.1.48326 > xxx.xxx.xxx.129.auth: S 1340299399:1340299399(0) win 5840 <mss 1460,sackOK,timestamp 251780265 
0,nop,wscale 0> (DF)
20:00:46.666744 192.168.1.129.auth > xxx.xxx.xxx.1.48326: R 0:0(0) ack 1 win 
0
20:00:52.666607 192.168.1.1.48326 > xxx.xxx.xxx.129.auth: S 
1340299399:1340299399(0) win 5840 <mss 1460,sackOK,timestamp 251780865 
0,nop,wscale 0> (DF)
20:00:52.666754 xxx.xxx.xxx.129.auth > xxx.xxx.xxx.1.48326: R 0:0(0) ack 1 win 
0

untill here:

20:01:04.666637 xxx.xxx.xxx.1.48326 > xxx.xxx.xxx.129.auth: S 1340299399:1340299399(0) win 5840 <mss 1460,sackOK,timestamp 251782065 
0,nop,wscale 0> (DF)

etc.... 

Any help appreciated.

Tani



[-- Attachment #2: Type: text/html, Size: 3957 bytes --]

Re: iptables delay connection phase

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 3016 bytes --]

Make sure that your rc.firewall allows auth (port 113). That is most
likely causing your delay.

On Mon, 2003-06-30 at 09:14, eNet wrote:
> Hello List,
>  
> I am new in iptables and list.
>  
> I have problem when my dialup clients trying to check their emails.
> There is a delay because of iptables. On that box I use linux kernel
> 2.4.19 and rc.firewall 
>  
> Here are more details of what is happening:
>  
> Case  1. without iptables . It is OK. No delay.
> 19:45:51.756818 arp who-has xxx.xxx.xxx.1 tell xxx.xxx.xxx.129
> 19:45:51.756837 arp reply xxx.xxx.xxx.1 is-at yy:yy:yy:yy:yy
> 19:45:51.756920 xxx.xxx.xxx.129.2814 > NS1.enet.org.al.pop3: S
> 1490445489:1490445489(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 19:45:51.756988 NS1.enet.org.al.pop3 > xxx.xxx.xxx.129.2814: S
> 401842756:401842756(0) ack 1490445490 win 5840 <mss
> 1460,nop,nop,sackOK> 
> (DF)
> 19:45:51.757102 xxx.xxx.xxx.129.2814 > NS1.enet.org.al.pop3: . ack 1
> win 17520 (DF)
> 19:45:51.761677 xxx.xxx.xxx.1.48021 > xxx.xxx.xxx.129.auth: S
> 387191140:387191140(0) win 5840 <mss 1460,sackOK,timestamp 251690774 
> 0,nop,wscale 0> (DF) 19:45:51.761856 xxx.xxx.xxx.129.auth >
> xxx.xxx.xxx.1.48021: R 0:0(0) ack 387191141 win 0
>  
> etc...
> 
> Case 2. iptables activated. Problem: delay
> 20:00:43.670848 xxx.xxx.xxx.129.2824 > NS1.enet.org.al.pop3: S
> 1713847144:1713847144(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> 20:00:43.670903 NS1.enet.org.al.pop3 > xxx.xxx.xxx.129.2824: S
> 1342878817:1342878817(0) ack 1713847145 win 5840 <mss
> 1460,nop,nop,sackOK> 
> (DF)
> 20:00:43.671015 xxx.xxx.xxx.129.2824 > NS1.enet.org.al.pop3: . ack 1
> win 17520 (DF)
> 20:00:43.672185 xxx.xxx.xxx.1.48326 > xxx.xxx.xxx.129.auth: S
> 1340299399:1340299399(0) win 5840 <mss 1460,sackOK,timestamp 251779965
> 0,nop,wscale 0> (DF)
> 
>  
> now it goes around (!!!!!??)
>  
> 20:00:43.672291 xxx.xxx.xxx.129.auth > xxx.xxx.xxx.1.48326: R 0:0(0)
> ack 1340299400 win 0
> 20:00:46.666594 xxx.xxx.xxx.1.48326 > xxx.xxx.xxx.129.auth: S
> 1340299399:1340299399(0) win 5840 <mss 1460,sackOK,timestamp 251780265
> 0,nop,wscale 0> (DF)
> 20:00:46.666744 192.168.1.129.auth > xxx.xxx.xxx.1.48326: R 0:0(0) ack
> 1 win 
> 0
> 20:00:52.666607 192.168.1.1.48326 > xxx.xxx.xxx.129.auth: S 
> 1340299399:1340299399(0) win 5840 <mss 1460,sackOK,timestamp 251780865
> 0,nop,wscale 0> (DF)
> 20:00:52.666754 xxx.xxx.xxx.129.auth > xxx.xxx.xxx.1.48326: R 0:0(0)
> ack 1 win 
> 0
> 
> untill here:
>  
> 20:01:04.666637 xxx.xxx.xxx.1.48326 > xxx.xxx.xxx.129.auth: S
> 1340299399:1340299399(0) win 5840 <mss 1460,sackOK,timestamp 251782065
> 0,nop,wscale 0> (DF)
> 
> etc.... 
>  
> Any help appreciated.
>  
> Tani
>  
>  
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]