From: Dax Kelson <dax@gurulabs.com>
To: Doug Watson <doug@1stbooks.com>
Cc: 'alex' <alex@bennee.com>,
"'netfilter@lists.netfilter.org'" <netfilter@lists.netfilter.org>
Subject: RE: intermittent and unreliable behaviour with iptables scripts
Date: 13 Nov 2002 11:13:54 -0700 [thread overview]
Message-ID: <1037211234.2257.14.camel@mentor> (raw)
In-Reply-To: <91F7518FF779D41181A700010266356D015555DE@mail.springbound.com>
On Wed, 2002-11-13 at 07:34, Doug Watson wrote:
> Thank you for your prompt response.
>
> If there really is a bug in ip_conntrack
> that makes me unfortunately skiddish about
> continuing on with netfilter/iptables as a
> viable solution for my company. Yet it seems
> like many people have implemented this and have
> not seen these types of problems.
>
> I have run the script that you sent me several times.
> Attached is a sample output from it. I don't believe that
> I am seeing anything too strange, but I do have 1 question.
> in the following line which you will see in the attached file
> what does the (policy ACCEPT 4 packets, 284 bytes) mean?
> Chain OUTPUT (policy ACCEPT 4 packets, 284 bytes)
>
> Is that the total number of packets to traverse the OUTPUT
> chain or it he number of packets ACCEPTED by the policy for the
> OUTPUT chain? Or something else?
>
> Thank you,
> Doug Watson
I don't think there is a bug, but rather improper rules. This is a
common mistake that beginners and experts make on firewalls.
What you describe:
"When browsing the web, web pages that normally would load very quickly
seem to hang for an inconsistent amount of time, anywhere between 1
second to 30 seconds or more before they would even begin to load or
would at times never load at all as if the connection to the web was
lost."
This is the CLASSIC (bizarre, yes) symptom of IP fragmentation not
working properly. When I first say these symptoms in 1996, it stumped me
for awhile.
Why would IP fragmentation not be working properly? The answer is that
you are not letting ICMP Type 3, Code 4 (ala fragmentation-needed)
packets through.
I don't know what your specific rules are, but generally the solution is
to have the following rule as the first rule in either INPUT, OUTPUT, or
FORWARD (or all three, which one depends on the overall design of your
ruleset).
iptables -A INPUT/OUTPUT/FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
The 'RELATED' will catch those ICMP Typ3, Code 4 packets.
Dax Kelson
Guru Labs
next prev parent reply other threads:[~2002-11-13 18:13 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-11-13 14:34 intermittent and unreliable behaviour with iptables scripts Doug Watson
2002-11-13 15:16 ` Raymond Leach
2002-11-13 20:21 ` Joel Newkirk
2002-11-13 18:13 ` Dax Kelson [this message]
2002-11-14 18:28 ` ICMP question Luis Fernando Barrera
2002-11-14 21:47 ` Darrell F. Dieringer
2002-11-24 16:34 ` Nick Drage
2002-11-15 1:59 ` Joel Newkirk
2002-11-13 22:47 ` intermittent and unreliable behaviour with iptables scripts alex
-- strict thread matches above, loose matches on Subject: below --
2002-12-09 16:15 Doug Watson
2002-11-15 15:14 Doug Watson
2002-11-13 15:01 Doug Watson
2002-11-13 14:53 Doug Watson
2002-11-13 14:35 Doug Watson
2002-11-11 17:25 Doug Watson
2002-11-11 23:19 ` alex
2002-11-12 0:10 ` Anders Fugmann
2002-11-12 6:30 ` Joel Newkirk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1037211234.2257.14.camel@mentor \
--to=dax@gurulabs.com \
--cc=alex@bennee.com \
--cc=doug@1stbooks.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox