* 2 nics and traffic delayed/lost on LAN
@ 2012-10-26 15:19 Kim Emax
2012-10-28 15:31 ` Eliezer Croitoru
0 siblings, 1 reply; 8+ messages in thread
From: Kim Emax @ 2012-10-26 15:19 UTC (permalink / raw)
To: netfilter
Hello
I have two nics and a DHCP server on my server (192.168.0.1), which
iptables controlled fine for years, but when i got a new job and
switched to a new server + started working through VPN i saw some
problems.
I'm having issues with the VPN, i can sit for like 10 minutes an try
to make a proper connection with Ciscos anyConnect against the company
network, getting all kinds of responses, often not even a connect
prompt. The local firewall has been disabled on this PC
192.168.0.132). If i plug this PC straight to the WAN instead of the
server, VPN works fine and fast.
It seems that the traffic on my internal network somehow is being
delayed, for instance SSH, i can wait for 30 seconds before the
keystrokes are shown on the screen. I don't recall that was an issue
before the VPN issue appeared.
Also there seems to be some packageloss, sending 10 packages from the
company PC at home to the server/gateway results in packageloss from
10 to 40%
Anyone got an idea for this? I've been trying to figure out the
problem for some time now and thought i had solved it some months ago,
but apparently not.
WAN is connected to eth0 and LAN to eth1
LAN is 192.168.0.0/24
chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 LOG tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 state NEW recent: SET name: SSH side:
source LOG flags 0 level 7 prefix "iptables denied SSH: "
0 0 DROP tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 state NEW recent: UPDATE seconds: 60
hit_count: 3 TTL-Match name: SSH side: source
0 0 DROP all -- eth0 * 83.133.227.121
0.0.0.0/0
0 0 DROP all -- eth0 * 82.96.90.170
0.0.0.0/0
0 0 DROP all -- eth0 * 93.159.16.170
0.0.0.0/0
22 7257 ACCEPT all -- eth0 * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth1 * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW multiport dports 20,21,22
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 multiport dports 22,80,4000,8080
8 3134 ACCEPT all -- eth1 * 192.168.0.0/24
0.0.0.0/0
0 0 ACCEPT tcp -- * * 212.97.132.102
0.0.0.0/0 tcp dpt:3306
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0
0.0.0.0/0 udp spt:68 dpt:67
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0
0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:8080
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:443
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0
0.0.0.0/0 udp dpt:443
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpts:6891:6901
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0
0.0.0.0/0 udp dpts:6891:6901
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT tcp -- eth1 * 192.168.0.0/24
192.168.0.0/24 tcp spts:1024:65535 dpt:139
0 0 ACCEPT tcp -- eth1 * 192.168.0.0/24
192.168.0.0/24 tcp spts:1024:65535 dpt:445
0 0 ACCEPT udp -- eth1 * 192.168.0.0/24
192.168.0.0/24 udp spts:1024:65535 dpts:137:138
0 0 ACCEPT udp -- eth1 * 192.168.0.0/24
192.168.0.0/24 udp spts:137:138 dpts:137:138
0 0 ACCEPT tcp -- eth1 * 192.168.0.0/24
192.168.0.0/24 tcp spt:139 dpt:139
0 0 ACCEPT tcp -- eth1 * 192.168.0.0/24
192.168.0.0/24 tcp spt:445 dpt:445
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 192.168.0.0/24
0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 9 packets, 630 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT tcp -- * * 212.97.132.102
0.0.0.0/0 tcp dpt:3306
17 2481 ACCEPT tcp -- * eth0 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
0 0 ACCEPT udp -- * eth0 0.0.0.0/0
0.0.0.0/0 udp dpt:443
0 0 ACCEPT tcp -- * eth1 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
0 0 ACCEPT udp -- * eth1 0.0.0.0/0
0.0.0.0/0 udp dpt:443
0 0 ACCEPT tcp -- * * 192.168.0.0/24
192.168.0.0/24 tcp spt:139 dpts:1024:65535
0 0 ACCEPT tcp -- * * 192.168.0.0/24
192.168.0.0/24 tcp spt:445 dpts:1024:65535
0 0 ACCEPT udp -- * * 192.168.0.0/24
192.168.0.0/24 udp spts:137:138 dpts:1024:65535
0 0 ACCEPT udp -- * * 192.168.0.0/24
192.168.0.0/24 udp spts:137:138 dpts:137:138
0 0 ACCEPT tcp -- * * 192.168.0.0/24
192.168.0.0/24 tcp spt:139 dpt:139
0 0 ACCEPT tcp -- * * 192.168.0.0/24
192.168.0.0/24 tcp spt:445 dpt:445
******************************
***************************'
I also tried another approach, building a new FW from scratch with a
online configurator, same problem:
# iptables rules created with Easy firewall generator:
http://easyfwgen.morizot.net/gen/index.php
Chain INPUT (policy DROP 62500 packets, 17M bytes)
pkts bytes target prot opt in out source
destination
74779 57M ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
15M 13G bad_packets all -- * * 0.0.0.0/0
0.0.0.0/0
5581 179K DROP all -- * * 0.0.0.0/0
224.0.0.1
1064K 206M ACCEPT all -- eth1 * 192.168.0.0/24
0.0.0.0/0
0 0 ACCEPT all -- eth1 * 0.0.0.0/0
192.168.0.255
402 171K ACCEPT udp -- eth1 * 0.0.0.0/0
0.0.0.0/0 udp spt:68 dpt:67
14M 13G ACCEPT all -- eth0 * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
7810 425K tcp_inbound tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0
71472 18M udp_inbound udp -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 icmp_packets icmp -- eth0 * 0.0.0.0/0
0.0.0.0/0
2 338 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast
20243 4239K LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 4
prefix "INPUT packet died: "
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
5214K 4815M bad_packets all -- * * 0.0.0.0/0
0.0.0.0/0
1700K 161M tcp_outbound tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0
109K 12M udp_outbound udp -- eth1 * 0.0.0.0/0
0.0.0.0/0
17426 795K ACCEPT all -- eth1 * 0.0.0.0/0
0.0.0.0/0
3367K 4640M ACCEPT all -- eth0 * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
8 408 ACCEPT tcp -- eth0 * 0.0.0.0/0
192.168.0.132 tcp dpt:443
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 4
prefix "FORWARD packet died: "
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
46773 49M ACCEPT all -- * * 127.0.0.1
0.0.0.0/0
28006 8207K ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
1424K 1753M ACCEPT all -- * * 192.168.0.1
0.0.0.0/0
0 0 ACCEPT all -- * eth1 0.0.0.0/0
0.0.0.0/0
12M 11G ACCEPT all -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 4
prefix "OUTPUT packet died: "
Chain bad_packets (2 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- eth0 * 192.168.0.0/24
0.0.0.0/0 LOG flags 0 level 4 prefix "Illegal source: "
0 0 DROP all -- eth0 * 192.168.0.0/24
0.0.0.0/0
26482 1367K LOG all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID LOG flags 0 level 4 prefix "Invalid
packet: "
26482 1367K DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
18M 18G bad_tcp_packets tcp -- * * 0.0.0.0/0
0.0.0.0/0
20M 18G RETURN all -- * * 0.0.0.0/0
0.0.0.0/0
Chain bad_tcp_packets (1 references)
pkts bytes target prot opt in out source
destination
2304K 200M RETURN tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0
1 52 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcpflags:! 0x17/0x02 state NEW LOG flags 0 level
4 prefix "New not syn: "
1 52 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcpflags:! 0x17/0x02 state NEW
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcpflags: 0x3F/0x00 LOG flags 0 level 4 prefix
"Stealth scan: "
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcpflags: 0x3F/0x00
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcpflags: 0x3F/0x3F LOG flags 0 level 4 prefix
"Stealth scan: "
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcpflags: 0x3F/0x3F
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcpflags: 0x3F/0x29 LOG flags 0 level 4 prefix
"Stealth scan: "
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcpflags: 0x3F/0x29
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcpflags: 0x3F/0x37 LOG flags 0 level 4 prefix
"Stealth scan: "
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcpflags: 0x3F/0x37
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcpflags: 0x06/0x06 LOG flags 0 level 4 prefix
"Stealth scan: "
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcpflags: 0x06/0x06
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcpflags: 0x03/0x03 LOG flags 0 level 4 prefix
"Stealth scan: "
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcpflags: 0x03/0x03
16M 17G RETURN tcp -- * * 0.0.0.0/0
0.0.0.0/0
Chain icmp_packets (1 references)
pkts bytes target prot opt in out source
destination
0 0 LOG icmp -f * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 4 prefix "ICMP Fragment: "
0 0 DROP icmp -f * * 0.0.0.0/0
0.0.0.0/0
0 0 DROP icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 11
0 0 RETURN icmp -- * * 0.0.0.0/0
0.0.0.0/0
Chain tcp_inbound (1 references)
pkts bytes target prot opt in out source
destination
1337 79448 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
1 52 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpts:62000:64000
5981 322K ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
491 23332 RETURN tcp -- * * 0.0.0.0/0
0.0.0.0/0
Chain tcp_outbound (1 references)
pkts bytes target prot opt in out source
destination
1700K 161M ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0
Chain udp_inbound (1 references)
pkts bytes target prot opt in out source
destination
9160 714K DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:137
3427 757K DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:138
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:67 dpt:68
58885 17M RETURN udp -- * * 0.0.0.0/0
0.0.0.0/0
Chain udp_outbound (1 references)
pkts bytes target prot opt in out source
destination
109K 12M ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
--
Take care
Kim Emax
http://emax.dk
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: 2 nics and traffic delayed/lost on LAN
2012-10-26 15:19 2 nics and traffic delayed/lost on LAN Kim Emax
@ 2012-10-28 15:31 ` Eliezer Croitoru
2012-10-28 18:52 ` Kim Emax
0 siblings, 1 reply; 8+ messages in thread
From: Eliezer Croitoru @ 2012-10-28 15:31 UTC (permalink / raw)
To: Kim Emax; +Cc: netfilter
On 10/26/2012 5:19 PM, Kim Emax wrote:
> Hello
>
> I have two nics and a DHCP server on my server (192.168.0.1), which
> iptables controlled fine for years, but when i got a new job and
> switched to a new server + started working through VPN i saw some
> problems.
> I'm having issues with the VPN, i can sit for like 10 minutes an try
> to make a proper connection with Ciscos anyConnect against the company
> network, getting all kinds of responses, often not even a connect
> prompt. The local firewall has been disabled on this PC
> 192.168.0.132). If i plug this PC straight to the WAN instead of the
> server, VPN works fine and fast.
>
> It seems that the traffic on my internal network somehow is being
> delayed, for instance SSH, i can wait for 30 seconds before the
> keystrokes are shown on the screen. I don't recall that was an issue
> before the VPN issue appeared.
>
> Also there seems to be some packageloss, sending 10 packages from the
> company PC at home to the server/gateway results in packageloss from
> 10 to 40%
>
> Anyone got an idea for this? I've been trying to figure out the
> problem for some time now and thought i had solved it some months ago,
> but apparently not.
> WAN is connected to eth0 and LAN to eth1
> LAN is 192.168.0.0/24
Hello Kim,
it seems to me like there nothing wrong with the FW software but
something else lower in the chain.
What Distro are you using?
Regards,
Eliezer
--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: 2 nics and traffic delayed/lost on LAN
2012-10-28 15:31 ` Eliezer Croitoru
@ 2012-10-28 18:52 ` Kim Emax
2012-10-28 23:44 ` Eliezer Croitoru
0 siblings, 1 reply; 8+ messages in thread
From: Kim Emax @ 2012-10-28 18:52 UTC (permalink / raw)
To: netfilter
On Sun, Oct 28, 2012 at 4:31 PM, Eliezer Croitoru <eliezer@ngtech.co.il> wrote:
> Hello Kim,
>
> it seems to me like there nothing wrong with the FW software but something
> else lower in the chain.
That's nice to know. I consider myself no expert in iptables but do
know my way around and it's just fustrating that it does behave as
supposed to...
I did find, from googling that maybe i missed a single forward chain:
iptables -A FORWARD -i eth1 -j ACCEPT
But it didn't make a difference...
When you say lower, do you mean settings in for instance
/proc/sys/net/ipv4/ip_forward
> What Distro are you using?
Ubuntu 12.04
Kind regards.
Kim
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: 2 nics and traffic delayed/lost on LAN
2012-10-28 18:52 ` Kim Emax
@ 2012-10-28 23:44 ` Eliezer Croitoru
2012-10-30 19:57 ` Kim Emax
0 siblings, 1 reply; 8+ messages in thread
From: Eliezer Croitoru @ 2012-10-28 23:44 UTC (permalink / raw)
To: Kim Emax; +Cc: netfilter
On 10/28/2012 8:52 PM, Kim Emax wrote:
> That's nice to know. I consider myself no expert in iptables but do
> know my way around and it's just fustrating that it does behave as
> supposed to...
You are not suppose to be EXPERT but just to understand the basics.
In most cases it will continue to frustrate you after you will
understand the real problem so give yourself some slack.
>
> I did find, from googling that maybe i missed a single forward chain:
>
> iptables -A FORWARD -i eth1 -j ACCEPT
I like the output of "iptables-save" which can make more sense to me.
>
if it worked before and the only problem was it is dosnt work well
that(iptables) is probably not the problem.
> But it didn't make a difference...
>
> When you say lower, do you mean settings in for instance
> /proc/sys/net/ipv4/ip_forward
>
I mean by drivers faulty switch\cable\router\line etc.
(maybe it's related to reverse path filtering)
the odds that the fault is at iptables is so limited it's unlikely the
cause.(but not 100% guarantied).
>
>> >What Distro are you using?
> Ubuntu 12.04
>
OK
what evidence you do have that proves the packets loss?
if it get's into one interface but dosnt come-out from the other it's
something with kernel settings.
there aren't many options about it.
I would suggest you to post in Ubuntu-servers with hardware
specification of the machine and topology.
you can Cc me and I will try to help you on my free time.
Regards,
Eliezer
--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: 2 nics and traffic delayed/lost on LAN
2012-10-28 23:44 ` Eliezer Croitoru
@ 2012-10-30 19:57 ` Kim Emax
2012-10-30 20:16 ` Eliezer Croitoru
0 siblings, 1 reply; 8+ messages in thread
From: Kim Emax @ 2012-10-30 19:57 UTC (permalink / raw)
To: Eliezer Croitoru; +Cc: netfilter
On Mon, Oct 29, 2012 at 12:44 AM, Eliezer Croitoru <eliezer@ngtech.co.il> wrote:
> You are not suppose to be EXPERT but just to understand the basics.
> In most cases it will continue to frustrate you after you will understand
> the real problem so give yourself some slack.
hehe, and that's a comfort? :-)
> I like the output of "iptables-save" which can make more sense to me.
# Generated by iptables-save v1.4.12 on Tue Oct 30 20:45:29 2012
*filter
:INPUT DROP [13737:1067977]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1866822:2015017078]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m
recent --set --name SSH --rsource -j LOG --log-prefix "iptables denied
SSH: " --log-level 7
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m
recent --update --seconds 60 --hitcount 3 --rttl --name SSH --rsource
-j DROP
-A INPUT -s 83.133.227.121/32 -i eth0 -j DROP
-A INPUT -s 82.96.90.170/32 -i eth0 -j DROP
-A INPUT -s 93.159.16.170/32 -i eth0 -j DROP
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m multiport --dports 20,21,22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m multiport --dports 22,80,4000,8080 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth1 -j ACCEPT
-A INPUT -s 212.97.132.102/32 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 443 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 6891:6901 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 6891:6901 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -i eth1 -p tcp -m tcp
--sport 1024:65535 --dport 139 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -i eth1 -p tcp -m tcp
--sport 1024:65535 --dport 445 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -i eth1 -p udp -m udp
--sport 1024:65535 --dport 137:138 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -i eth1 -p udp -m udp
--sport 137:138 --dport 137:138 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -i eth1 -p tcp -m tcp
--sport 139 --dport 139 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -i eth1 -p tcp -m tcp
--sport 445 --dport 445 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 212.97.132.102/32 -p tcp -m tcp --dport 3306 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 443 -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -o eth1 -p udp -m udp --dport 443 -j ACCEPT
-A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -p tcp -m tcp --sport
139 --dport 1024:65535 -j ACCEPT
-A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -p tcp -m tcp --sport
445 --dport 1024:65535 -j ACCEPT
-A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -p udp -m udp --sport
137:138 --dport 1024:65535 -j ACCEPT
-A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -p udp -m udp --sport
137:138 --dport 137:138 -j ACCEPT
-A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -p tcp -m tcp --sport
139 --dport 139 -j ACCEPT
-A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -p tcp -m tcp --sport
445 --dport 445 -j ACCEPT
COMMIT
> if it worked before and the only problem was it is dosnt work well
> that(iptables) is probably not the problem.
I'm a bit unsure if the problem happend when i switched to a new
server (2 years ago). I didn't realize there was a problem until i
started using VPN (one year ago)
> I mean by drivers faulty switch\cable\router\line etc.
> (maybe it's related to reverse path filtering)
>
> the odds that the fault is at iptables is so limited it's unlikely the
> cause.(but not 100% guarantied).
if i plug the company PC directly to the plug, IE, bypass the server
and one switch, it works flawless, so yeah, cables, one switch,
Iptables or some other setting on the ubuntu server must be the
reason.
> what evidence you do have that proves the packets loss?
10 pings gave 10, 30 and 40% packetloss.
> if it get's into one interface but dosnt come-out from the other it's
> something with kernel settings.
> there aren't many options about it.
How do i debug on that? tcpdump? (used it once ages ago) some logging
in iptables?
> I would suggest you to post in Ubuntu-servers with hardware specification of
> the machine and topology.
I'm not sure that's the way to go? I might call it a server, it's s
plain PC used as firewall, router, webserver, databaseserver etc. with
a desktop install.
> you can Cc me and I will try to help you on my free time.
Thank you so far for the inputs.
--
Take care
Kim Emax
http://emax.dk
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: 2 nics and traffic delayed/lost on LAN
2012-10-30 19:57 ` Kim Emax
@ 2012-10-30 20:16 ` Eliezer Croitoru
2012-10-30 21:19 ` Kim Emax
0 siblings, 1 reply; 8+ messages in thread
From: Eliezer Croitoru @ 2012-10-30 20:16 UTC (permalink / raw)
To: Kim Emax; +Cc: netfilter
On 10/30/2012 9:57 PM, Kim Emax wrote:
> On Mon, Oct 29, 2012 at 12:44 AM, Eliezer Croitoru <eliezer@ngtech.co.il> wrote:
>
>> You are not suppose to be EXPERT but just to understand the basics.
>> In most cases it will continue to frustrate you after you will understand
>> the real problem so give yourself some slack.
>
> hehe, and that's a comfort? :-)
half
>
>> I like the output of "iptables-save" which can make more sense to me.
>
> # Generated by iptables-save v1.4.12 on Tue Oct 30 20:45:29 2012
> *filter
> :INPUT DROP [13737:1067977]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1866822:2015017078]
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m
> recent --set --name SSH --rsource -j LOG --log-prefix "iptables denied
> SSH: " --log-level 7
> -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m
> recent --update --seconds 60 --hitcount 3 --rttl --name SSH --rsource
> -j DROP
> -A INPUT -s 83.133.227.121/32 -i eth0 -j DROP
> -A INPUT -s 82.96.90.170/32 -i eth0 -j DROP
> -A INPUT -s 93.159.16.170/32 -i eth0 -j DROP
> -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m multiport --dports 20,21,22 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,4000,8080 -j ACCEPT
> -A INPUT -s 192.168.0.0/24 -i eth1 -j ACCEPT
> -A INPUT -s 212.97.132.102/32 -p tcp -m tcp --dport 3306 -j ACCEPT
> -A INPUT -i eth1 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
> -A INPUT -i eth0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
> -A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
> -A INPUT -i eth1 -p tcp -m tcp --dport 8080 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
> -A INPUT -i eth0 -p udp -m udp --dport 443 -j ACCEPT
> -A INPUT -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
> -A INPUT -i eth1 -p udp -m udp --dport 443 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --dport 6891:6901 -j ACCEPT
> -A INPUT -i eth0 -p udp -m udp --dport 6891:6901 -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -i eth1 -p tcp -m tcp
> --sport 1024:65535 --dport 139 -j ACCEPT
> -A INPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -i eth1 -p tcp -m tcp
> --sport 1024:65535 --dport 445 -j ACCEPT
> -A INPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -i eth1 -p udp -m udp
> --sport 1024:65535 --dport 137:138 -j ACCEPT
> -A INPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -i eth1 -p udp -m udp
> --sport 137:138 --dport 137:138 -j ACCEPT
> -A INPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -i eth1 -p tcp -m tcp
> --sport 139 --dport 139 -j ACCEPT
> -A INPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -i eth1 -p tcp -m tcp
> --sport 445 --dport 445 -j ACCEPT
> -A FORWARD -i eth1 -j ACCEPT
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -s 192.168.0.0/24 -j ACCEPT
> -A FORWARD -j REJECT --reject-with icmp-port-unreachable
> -A OUTPUT -o lo -j ACCEPT
> -A OUTPUT -s 212.97.132.102/32 -p tcp -m tcp --dport 3306 -j ACCEPT
> -A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -j ACCEPT
> -A OUTPUT -o eth0 -p udp -m udp --dport 443 -j ACCEPT
> -A OUTPUT -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT
> -A OUTPUT -o eth1 -p udp -m udp --dport 443 -j ACCEPT
> -A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -p tcp -m tcp --sport
> 139 --dport 1024:65535 -j ACCEPT
> -A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -p tcp -m tcp --sport
> 445 --dport 1024:65535 -j ACCEPT
> -A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -p udp -m udp --sport
> 137:138 --dport 1024:65535 -j ACCEPT
> -A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -p udp -m udp --sport
> 137:138 --dport 137:138 -j ACCEPT
> -A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -p tcp -m tcp --sport
> 139 --dport 139 -j ACCEPT
> -A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -p tcp -m tcp --sport
> 445 --dport 445 -j ACCEPT
> COMMIT
>
seems like you are hosting:
samba
db
ssh
ftp
ssl
and other stuff.
the first thing I would suggest you is to help yourself understand your
topology.
ip addresses, hardware, packets flow.
until you will not clarify these things you are expected to fail
debugging the problem.
as I mentioned before try Ubuntu servers forums as a starter since there
are many nice people there that will try to give you lots of directions.
you can try to change your iptables to a more simple approach one like
"allow all" as a starter and later add rule by rule until you will find
a specific culprit.
also try to close and service that is running on this machine and one by
one start them.
>> if it worked before and the only problem was it is dosnt work well
>> that(iptables) is probably not the problem.
>
> I'm a bit unsure if the problem happend when i switched to a new
> server (2 years ago). I didn't realize there was a problem until i
> started using VPN (one year ago)
>
>
>> I mean by drivers faulty switch\cable\router\line etc.
>> (maybe it's related to reverse path filtering)
>>
>> the odds that the fault is at iptables is so limited it's unlikely the
>> cause.(but not 100% guarantied).
>
> if i plug the company PC directly to the plug, IE, bypass the server
> and one switch, it works flawless, so yeah, cables, one switch,
> Iptables or some other setting on the ubuntu server must be the
> reason.
>
>> what evidence you do have that proves the packets loss?
>
> 10 pings gave 10, 30 and 40% packetloss.
>
ping to where?
try pinging the "firewall" and to other places by the topology.
lan to lan
lan to firewall
lan to other throw firewall
>> if it get's into one interface but dosnt come-out from the other it's
>> something with kernel settings.
>> there aren't many options about it.
>
> How do i debug on that? tcpdump? (used it once ages ago) some logging
> in iptables?
>
tcpdump is a really good start to see if the packets are identified by
the kernel\interface\driver etc.
if you have another PC you can try to dump the packets into PCAP file
and later review the packets in wireshark which is more friendly for the
eye.
also there are many things you can see by just looking at the packet
flow in wireshark.
>> I would suggest you to post in Ubuntu-servers with hardware specification of
>> the machine and topology.
>
> I'm not sure that's the way to go? I might call it a server, it's s
> plain PC used as firewall, router, webserver, databaseserver etc. with
> a desktop install.
>
Server is a role which means to serve a purpose and it's your case.
>> you can Cc me and I will try to help you on my free time.
>
> Thank you so far for the inputs.
Regards,
Eliezer
--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: 2 nics and traffic delayed/lost on LAN
2012-10-30 20:16 ` Eliezer Croitoru
@ 2012-10-30 21:19 ` Kim Emax
2012-10-30 21:52 ` Eliezer Croitoru
0 siblings, 1 reply; 8+ messages in thread
From: Kim Emax @ 2012-10-30 21:19 UTC (permalink / raw)
To: Eliezer Croitoru; +Cc: netfilter
On Tue, Oct 30, 2012 at 9:16 PM, Eliezer Croitoru <eliezer@ngtech.co.il> wrote:
> seems like you are hosting:
> samba
> db
> ssh
> ftp
> ssl
> and other stuff.
True.
> the first thing I would suggest you is to help yourself understand your
> topology.
> ip addresses, hardware, packets flow.
> until you will not clarify these things you are expected to fail debugging
> the problem.
> as I mentioned before try Ubuntu servers forums as a starter since there are
> many nice people there that will try to give you lots of directions.
Ok, i'll find that. And will Cc you there. I'm replying here, cause i
forgot to mention where the ping went.
> you can try to change your iptables to a more simple approach one like
> "allow all" as a starter and later add rule by rule until you will find a
> specific culprit.
> also try to close and service that is running on this machine and one by one
> start them.
I thought of that approach the last few days. Or maybe fire up the old
server to rule out a HW issue.
>> 10 pings gave 10, 30 and 40% packetloss.
>>
> ping to where?
> try pinging the "firewall" and to other places by the topology.
> lan to lan
> lan to firewall
> lan to other throw firewall
Sorry, i pinged the companys VPN address.
> tcpdump is a really good start to see if the packets are identified by the
> kernel\interface\driver etc.
> if you have another PC you can try to dump the packets into PCAP file and
> later review the packets in wireshark which is more friendly for the eye.
> also there are many things you can see by just looking at the packet flow in
> wireshark.
okay, got some stuff to work on now. Thanks.
--
Take care
Kim Emax
http://emax.dk
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: 2 nics and traffic delayed/lost on LAN
2012-10-30 21:19 ` Kim Emax
@ 2012-10-30 21:52 ` Eliezer Croitoru
0 siblings, 0 replies; 8+ messages in thread
From: Eliezer Croitoru @ 2012-10-30 21:52 UTC (permalink / raw)
To: Kim Emax; +Cc: netfilter
On 10/30/2012 11:19 PM, Kim Emax wrote:
>>> >>10 pings gave 10, 30 and 40% packetloss.
>>> >>
>> >ping to where?
>> >try pinging the "firewall" and to other places by the topology.
>> >lan to lan
>> >lan to firewall
>> >lan to other throw firewall
> Sorry, i pinged the companys VPN address.
>
If you will describe in more detail the network I will might have one or
more good points for you.
Regards,
Eliezer
--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2012-10-30 21:52 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-10-26 15:19 2 nics and traffic delayed/lost on LAN Kim Emax
2012-10-28 15:31 ` Eliezer Croitoru
2012-10-28 18:52 ` Kim Emax
2012-10-28 23:44 ` Eliezer Croitoru
2012-10-30 19:57 ` Kim Emax
2012-10-30 20:16 ` Eliezer Croitoru
2012-10-30 21:19 ` Kim Emax
2012-10-30 21:52 ` Eliezer Croitoru
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.