From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Dennis J." Subject: Re: iptables sporadic "sendmsg: operation not permitted" problem and packet loss Date: Mon, 09 Mar 2009 16:11:37 +0100 Message-ID: <49B531A9.7060805@conversis.de> References: <49B2E831.3040809@conversis.de> <49B51ABC.1080502@freemail.hu> Mime-Version: 1.0 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: In-Reply-To: <49B51ABC.1080502@freemail.hu> Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="iso-8859-1"; format="flowed" To: =?ISO-8859-2?Q?G=E1sp=E1r_Lajos?= Cc: Dennis Jacobfeuerborn , netfilter@vger.kernel.org On 03/09/2009 02:33 PM, G=E1sp=E1r Lajos wrote: > Dennis Jacobfeuerborn =EDrta: >> Hi, >> >> I'm running into a problem on a machine that right now acts as a >> simple gateway but is supposed to become a firewall too. When I star= t >> iptables using "/etc/init.d/iptables start" on the Centos 5.2 machin= e >> first everything works fine but after about 30 seconds I'm seeing >> packet loss and running a ping outputs "sendmsg: operation not >> permitted" sporadically. >> The moment I stop iptables again everything returns to normal. What = is >> consufing to me is that I don't even have any rules defined so far. >> This is what my "/etc/sysconfig/iptables" file looks like: >> >> # Generated by iptables-save v1.3.5 on Thu Mar 5 17:40:28 2009 >> *filter >> :INPUT ACCEPT [26715202:4750206096] >> :FORWARD ACCEPT [1382646771:1563210213960] >> :OUTPUT ACCEPT [22930985:6256734041] >> COMMIT >> >> iptables -L says: >> >> Chain INPUT (policy ACCEPT) >> target prot opt source destination >> >> Chain FORWARD (policy ACCEPT) >> target prot opt source destination >> >> Chain OUTPUT (policy ACCEPT) >> target prot opt source destination >> >> Does anyone have an idea why that would have such a severe impact on >> the traffic? The fact that it takes a moment for the problems to sho= w >> up makes me suspect some kind of buffer issue so that the packet los= s >> only begins to occur after some buffer begins to overflow. That just= a >> guess though and I have no idea what buffer that could be. >> >> Regards, >> Dennis >> > > Hi Dennis, > > What about the other tables? > > iptables -vnL -t raw > iptables -vnL -t mangle > iptables -vnL -t nat All clear: [root@gw ~]# iptables -vnL -t raw Chain PREROUTING (policy ACCEPT 132 packets, 77370 bytes) pkts bytes target prot opt in out source=20 destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source=20 destination [root@gw ~]# iptables -vnL -t mangle Chain PREROUTING (policy ACCEPT 2688M packets, 1487G bytes) pkts bytes target prot opt in out source=20 destination Chain INPUT (policy ACCEPT 2048K packets, 368M bytes) pkts bytes target prot opt in out source=20 destination Chain FORWARD (policy ACCEPT 2686M packets, 1486G bytes) pkts bytes target prot opt in out source=20 destination Chain OUTPUT (policy ACCEPT 1961K packets, 997M bytes) pkts bytes target prot opt in out source=20 destination Chain POSTROUTING (policy ACCEPT 2688M packets, 1487G bytes) pkts bytes target prot opt in out source=20 destination [root@gw ~]# iptables -vnL -t nat Chain PREROUTING (policy ACCEPT 178 packets, 40798 bytes) pkts bytes target prot opt in out source=20 destination Chain POSTROUTING (policy ACCEPT 121 packets, 26962 bytes) pkts bytes target prot opt in out source=20 destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source=20 destination Regards, Dennis