Re: Trouble getting SYNPROXY to work.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pigi <pigi@frumar.it>
To: netfilter@vger.kernel.org
Subject: Re: Trouble getting SYNPROXY to work.
Date: Tue, 12 Nov 2019 19:31:54 +0100	[thread overview]
Message-ID: <2490043.Bzh1xko5Hd@topolinux> (raw)
In-Reply-To: <3abdbb03-e10c-938f-bfb1-5e10764e1a3f@gmail.com>

On Tuesday 12 November 2019 11:37:29 Fatih USTA wrote:
> Hi Pierluigi,
> 
> If you don't have ip address on br0 interface.


But, Fatih, I do have an IP address on br0:

root@firewall:~# ifconfig br0                                                                                                                                                                                     
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500                                                                                                                                                         
        inet 10.0.1.51  netmask 255.255.255.0  broadcast 10.0.2.255                                                                                                                                               


> If you have a IP address on br0 interface then you should check 
> net.ipv4.ip_forward sysctl parameters. (value should be 1)

Routing is enabled:
root@firewall:~# sysctl -a| grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1

> 
> My other advice to you.
> 1- Use external Ethernet for SYN Proxy.
> /usr/sbin/iptables -A INPUT -m physdev --physdev-in $external_iface_eth0 
> -p tcp -m tcp -m conntrack --dport 81 --ctstate INVALID,UNTRACKED -j 
> SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1323

I will try this, but, as told in my mail, I have tried the SYNPROXY on either physical ( eth0 eth1 eth2, all with ip address ) than bridge interfaces.

> 2- If you set 0 this parameters then you take the better performance.
> 
> net.ipv4.tcp_timestamps = 1

Already on.

root@firewall:~# sysctl -a| grep net.ipv4.tcp_timestamps
net.ipv4.tcp_timestamps = 1


> 
> 3- Last advice.
> If you are using HTTPS connection then don't set wscale. And you may use 
> mss 1460.
>

I will try with this, but I suspect it will not change my problem.

Thanks for your time.

Pireluigi

next prev parent reply	other threads:[~2019-11-12 18:31 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-11 20:46 Trouble getting SYNPROXY to work Pigi
2019-11-12  8:37 ` Fatih USTA
2019-11-12 18:31   ` Pigi [this message]
2019-11-12 19:23     ` Neal P. Murphy
2019-11-12 20:42       ` Pierluigi Frullani Sinergy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2490043.Bzh1xko5Hd@topolinux \
    --to=pigi@frumar.it \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.