FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 02-01-2008, 08:05 AM
"Brian Modra"
 
Default socket timeouts when forwarded over gprs/ppp

Hi,
I'm having trouble with sockets apparently timing out too quickly when they are logically over ethernet, but physically forwarded over a slow ppp link.

The fastest network available to me is GPRS/EDGE. So I have one PC connecting to my ISP using EDGE, and 4 other PCs connected to it using Ethernet.


The "network server PC" (the one with the GPRS/EDGE modem) is using iptables to forward the packets arriving over its eth0 to ppp0, and vis-versa.
This all works nicely.

However, I think that because the other PCs are using ethernet, their socket timeouts default to something fairly small... so when the socket connection is actually going via GPRS/EDGE (which is much slower than 100 ethernet) then it times out.


I'm seeing this problem with ssh connections (because thats the only type of socket connection that goes outside the LAN over ppp).

Note that this is not an idle-time timeout problem: I've got control over the remote sshd, so I have set up

ClientAliveInterval 60
ClientAliveCountMax 0
and on the clients:
ServerAliveInterval 20

If I connect from my "Network server PC" (i.e. not using forwarding) - then the ssh works fine.
If I use ssh from one of the other PCs (i.e. using forwarding) - then ssh sometimes works fine, but sometimes gets a "connection reset by remote peer" right in the middle of some busy data transfer.


I'm a novice with iptables... here's my setup:

# iptables-save
# Generated by iptables-save v1.3.8 on Fri Feb* 1 10:52:12 2008
*mangle
:PREROUTING ACCEPT [7117:1725751]
:INPUT ACCEPT [4684:1358683]

:FORWARD ACCEPT [2431:365684]
:OUTPUT ACCEPT [4927:964199]
:POSTROUTING ACCEPT [7364:1331293]
COMMIT
# Completed on Fri Feb* 1 10:52:12 2008
# Generated by iptables-save v1.3.8 on Fri Feb* 1 10:52:12 2008

*nat
:PREROUTING ACCEPT [41:2460]
:POSTROUTING ACCEPT [60:4125]
:OUTPUT ACCEPT [141:8990]
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o ppp1 -j MASQUERADE
COMMIT
# Completed on Fri Feb* 1 10:52:12 2008

# Generated by iptables-save v1.3.8 on Fri Feb* 1 10:52:12 2008
*filter
:INPUT ACCEPT [2158:643734]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [4927:964199]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT

-A INPUT -i ! eth0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i ! eth0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j DROP

-A INPUT -i ppp1 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -i ! eth0 -p tcp -m tcp --dport 0:110 -j DROP
-A INPUT -i ! eth0 -p udp -m udp --dport 0:110 -j DROP
-A INPUT -i ! eth0 -p tcp -m tcp --dport 112:1023 -j DROP

-A INPUT -i ! eth0 -p udp -m udp --dport 112:1023 -j DROP
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth0 -j DROP
-A FORWARD -s 192.168.0.0/255.255.0.0 -i eth0 -j ACCEPT

-A FORWARD -d 192.168.0.0/255.255.0.0 -i ppp0 -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i ppp1 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 8085 -j REJECT --reject-with icmp-port-unreachable

COMMIT
# Completed on Fri Feb* 1 10:52:12 2008
Note that I sometimes connect using a different ISP, hence ppp0 and ppp1.
Removing all mention of ppp1 does not help, and the problem existed before I added the second ppp.


I've been googling for anything to do with forwarding timeouts in iptables, but no success. I've also been looking for ways to set the default socket read/write timeout* from a shell, (I know how to do it in C, but that does not help because I don't want to patch openssh.) Maybe there is an ssh config parameter for this, but all I can find is information about keepalive, which is nothing to do with this problem.


I'll appreciate your help. Thanks
Brian
--
Brian Modra** Land line: +27 23 5411 462
Mobile: +27 79 183 8059
6 Jan Louw Str, Prince Albert, 6930
Postal: P.O. Box 2, Prince Albert 6930
South Africa
 
Old 02-01-2008, 08:05 AM
"Brian Modra"
 
Default socket timeouts when forwarded over gprs/ppp

Hi,
I'm having trouble with sockets apparently timing out too quickly when they are logically over ethernet, but physically forwarded over a slow ppp link.

The fastest network available to me is GPRS/EDGE. So I have one PC connecting to my ISP using EDGE, and 4 other PCs connected to it using Ethernet.


The "network server PC" (the one with the GPRS/EDGE modem) is using iptables to forward the packets arriving over its eth0 to ppp0, and vis-versa.
This all works nicely.

However, I think that because the other PCs are using ethernet, their socket timeouts default to something fairly small... so when the socket connection is actually going via GPRS/EDGE (which is much slower than 100 ethernet) then it times out.


I'm seeing this problem with ssh connections (because thats the only type of socket connection that goes outside the LAN over ppp).

Note that this is not an idle-time timeout problem: I've got control over the remote sshd, so I have set up

ClientAliveInterval 60
ClientAliveCountMax 0
and on the clients:
ServerAliveInterval 20

If I connect from my "Network server PC" (i.e. not using forwarding) - then the ssh works fine.
If I use ssh from one of the other PCs (i.e. using forwarding) - then ssh sometimes works fine, but sometimes gets a "connection reset by remote peer" right in the middle of some busy data transfer.


I'm a novice with iptables... here's my setup:

# iptables-save
# Generated by iptables-save v1.3.8 on Fri Feb* 1 10:52:12 2008
*mangle
:PREROUTING ACCEPT [7117:1725751]
:INPUT ACCEPT [4684:1358683]

:FORWARD ACCEPT [2431:365684]
:OUTPUT ACCEPT [4927:964199]
:POSTROUTING ACCEPT [7364:1331293]
COMMIT
# Completed on Fri Feb* 1 10:52:12 2008
# Generated by iptables-save v1.3.8 on Fri Feb* 1 10:52:12 2008

*nat
:PREROUTING ACCEPT [41:2460]
:POSTROUTING ACCEPT [60:4125]
:OUTPUT ACCEPT [141:8990]
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o ppp1 -j MASQUERADE
COMMIT
# Completed on Fri Feb* 1 10:52:12 2008

# Generated by iptables-save v1.3.8 on Fri Feb* 1 10:52:12 2008
*filter
:INPUT ACCEPT [2158:643734]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [4927:964199]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT

-A INPUT -i ! eth0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i ! eth0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j DROP

-A INPUT -i ppp1 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -i ! eth0 -p tcp -m tcp --dport 0:110 -j DROP
-A INPUT -i ! eth0 -p udp -m udp --dport 0:110 -j DROP
-A INPUT -i ! eth0 -p tcp -m tcp --dport 112:1023 -j DROP

-A INPUT -i ! eth0 -p udp -m udp --dport 112:1023 -j DROP
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth0 -j DROP
-A FORWARD -s 192.168.0.0/255.255.0.0 -i eth0 -j ACCEPT

-A FORWARD -d 192.168.0.0/255.255.0.0 -i ppp0 -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i ppp1 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 8085 -j REJECT --reject-with icmp-port-unreachable

COMMIT
# Completed on Fri Feb* 1 10:52:12 2008
Note that I sometimes connect using a different ISP, hence ppp0 and ppp1.
Removing all mention of ppp1 does not help, and the problem existed before I added the second ppp.


I've been googling for anything to do with forwarding timeouts in iptables, but no success. I've also been looking for ways to set the default socket read/write timeout* from a shell, (I know how to do it in C, but that does not help because I don't want to patch openssh.) Maybe there is an ssh config parameter for this, but all I can find is information about keepalive, which is nothing to do with this problem.


I'll appreciate your help. Thanks
Brian
--
Brian Modra** Land line: +27 23 5411 462
Mobile: +27 79 183 8059
6 Jan Louw Str, Prince Albert, 6930
Postal: P.O. Box 2, Prince Albert 6930
South Africa
 
Old 02-01-2008, 11:29 AM
Alex Efros
 
Default socket timeouts when forwarded over gprs/ppp

Hi!

Try this one:
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
and read `man iptables`, paragraph "TCPMSS" for description of this issue.

P.S. Looks like your question is offtopic in this maillist, probably you
should use gentoo-server@ for such questions.

--
WBR, Alex.
--
gentoo-hardened@lists.gentoo.org mailing list
 
Old 02-01-2008, 09:24 PM
 
Default socket timeouts when forwarded over gprs/ppp

Do you take car of the MTU?
Maybe you should clamp it as with ADSL. Do a Google search on TCPMMS.

Regards,
Dw.
--
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962

On Pén, Február 1, 2008 10:05, Brian Modra wrote:
> Hi,
> I'm having trouble with sockets apparently timing out too quickly when
> they
> are logically over ethernet, but physically forwarded over a slow ppp
> link.
>
> The fastest network available to me is GPRS/EDGE. So I have one PC
> connecting to my ISP using EDGE, and 4 other PCs connected to it using
> Ethernet.
>
> The "network server PC" (the one with the GPRS/EDGE modem) is using
> iptables
> to forward the packets arriving over its eth0 to ppp0, and vis-versa.
> This all works nicely.
>
> However, I think that because the other PCs are using ethernet, their
> socket
> timeouts default to something fairly small... so when the socket
> connection
> is actually going via GPRS/EDGE (which is much slower than 100 ethernet)
> then it times out.
>
> I'm seeing this problem with ssh connections (because thats the only type
> of
> socket connection that goes outside the LAN over ppp).
>
> Note that this is not an idle-time timeout problem: I've got control over
> the remote sshd, so I have set up
> ClientAliveInterval 60
> ClientAliveCountMax 0
> and on the clients:
> ServerAliveInterval 20
>
> If I connect from my "Network server PC" (i.e. not using forwarding) -
> then
> the ssh works fine.
> If I use ssh from one of the other PCs (i.e. using forwarding) - then ssh
> sometimes works fine, but sometimes gets a "connection reset by remote
> peer"
> right in the middle of some busy data transfer.
>
> I'm a novice with iptables... here's my setup:
>
> # iptables-save
> # Generated by iptables-save v1.3.8 on Fri Feb 1 10:52:12 2008
> *mangle
> :PREROUTING ACCEPT [7117:1725751]
> :INPUT ACCEPT [4684:1358683]
> :FORWARD ACCEPT [2431:365684]
> :OUTPUT ACCEPT [4927:964199]
> :POSTROUTING ACCEPT [7364:1331293]
> COMMIT
> # Completed on Fri Feb 1 10:52:12 2008
> # Generated by iptables-save v1.3.8 on Fri Feb 1 10:52:12 2008
> *nat
> :PREROUTING ACCEPT [41:2460]
> :POSTROUTING ACCEPT [60:4125]
> :OUTPUT ACCEPT [141:8990]
> -A POSTROUTING -o ppp0 -j MASQUERADE
> -A POSTROUTING -o ppp1 -j MASQUERADE
> COMMIT
> # Completed on Fri Feb 1 10:52:12 2008
> # Generated by iptables-save v1.3.8 on Fri Feb 1 10:52:12 2008
> *filter
> :INPUT ACCEPT [2158:643734]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [4927:964199]
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i eth0 -j ACCEPT
> -A INPUT -i ! eth0 -p udp -m udp --dport 67 -j REJECT --reject-with
> icmp-port-unreachable
> -A INPUT -i ! eth0 -p udp -m udp --dport 53 -j REJECT --reject-with
> icmp-port-unreachable
> -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j DROP
> -A INPUT -i ppp1 -p tcp -m tcp --dport 22 -j DROP
> -A INPUT -i ! eth0 -p tcp -m tcp --dport 0:110 -j DROP
> -A INPUT -i ! eth0 -p udp -m udp --dport 0:110 -j DROP
> -A INPUT -i ! eth0 -p tcp -m tcp --dport 112:1023 -j DROP
> -A INPUT -i ! eth0 -p udp -m udp --dport 112:1023 -j DROP
> -A FORWARD -d 192.168.0.0/255.255.0.0 -i eth0 -j DROP
> -A FORWARD -s 192.168.0.0/255.255.0.0 -i eth0 -j ACCEPT
> -A FORWARD -d 192.168.0.0/255.255.0.0 -i ppp0 -j ACCEPT
> -A FORWARD -d 192.168.0.0/255.255.0.0 -i ppp1 -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 8085 -j REJECT --reject-with
> icmp-port-unreachable
> COMMIT
> # Completed on Fri Feb 1 10:52:12 2008
>
> Note that I sometimes connect using a different ISP, hence ppp0 and ppp1.
> Removing all mention of ppp1 does not help, and the problem existed before
> I
> added the second ppp.
>
> I've been googling for anything to do with forwarding timeouts in
> iptables,
> but no success. I've also been looking for ways to set the default socket
> read/write timeout from a shell, (I know how to do it in C, but that does
> not help because I don't want to patch openssh.) Maybe there is an ssh
> config parameter for this, but all I can find is information about
> keepalive, which is nothing to do with this problem.
>
> I'll appreciate your help. Thanks
> Brian
> --
> Brian Modra Land line: +27 23 5411 462
> Mobile: +27 79 183 8059
> 6 Jan Louw Str, Prince Albert, 6930
> Postal: P.O. Box 2, Prince Albert 6930
> South Africa
>


--
gentoo-hardened@lists.gentoo.org mailing list
 

Thread Tools




All times are GMT. The time now is 09:38 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org