FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 08-22-2008, 08:10 AM
"Arun Shrimali"
 
Default IPTABLES issue

Dear All,

I am having a problem with configuring IPTABLES

My Setup :

Fedora 6, as a proxy server having three NICs as follows
eth 0 - not in use
eth1 - IP (192.16.251.234 *gw - 192.16.250.246) *Connected to LAN

eth2 - IP (192.16.250.246 gw - 192.16.250.245) Connected to router of ISP

LAN has the mix users of Ubuntu and Windows
We are using squid (with NTSA authentication) for HTTP traffic, which is working fine.


My Problem :

I want my users to use ftp to upload file for different reasons.
Thus any FTP traffic (only ftp) at eth1 should be route to eth2, such that to connect to ftp site and upload the content.


I have tried ip_conntrack_ftp but does not helped.
Can any body help me to route the ftp traffic

regards

Arun


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 03-14-2012, 06:58 PM
Hassnain Badami
 
Default IPTables issue

Dear all
I am learning IPTables and have been given a problem on our network to diagnose and solve.*
Our network infrastructure contains an internet provider line from Colt that feeds into a bandwidth router (provided by our building management) and then Ubuntu 10.04 box running iptables. This firewall is then connected to a switch and we run a local area network of around 20 computers (both Linux and windows).
Our firewall has a certain set of rules enabled. When I try to download a file on the firewall itself everything seems fine. But when I try to download the same file from a windows box behind the firewall, it starts well, downloads upto 5 MB, but then interrupts or enormously slows down.
To solve this problem I wrote a small script, first to clean my iptables rules and then to create a few rules that only allow basic configuration. The first script is
Code:echo "Stopping firewall and allowing everyone..."iptables -Fiptables -Xiptables -t nat -Fiptables -t nat -Xiptables -t mangle -Fiptables -t mangle -Xiptables -P INPUT ACCEPTiptables -P FORWARD ACCEPTiptables -P OUTPUT ACCEPT
The second script only allows for basic rules to be setup and is as follows (eth0 is lan and eth5 is WAN)
Code:iptables -A FORWARD -i eth0 -o eth5 -j ACCEPTiptables -t nat -A POSTROUTING -o eth5 -j MASQUERADEiptables -A FORWARD -i eth5 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
Using the 2nd script I can browse fine, but any downloads on the lan box again slow down or interrupt.
I am very confused as this firewall was operational for more than a year and all of a sudden it has started to fail (on March 7). Secondly the building management claims they havent done anything at their end. I am kind of lost. Any help will be highly appreciated.
many thanks
Hassnain.
--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 03-14-2012, 07:31 PM
"compdoc"
 
Default IPTables issue

Does this happen with all Windows PCs? Is there a virus scanner on the Windows PC? Is there a virus scanner (clamav) on the Ubuntu box?
*
Have you tried swapping the network card and patch cord in the Ubuntu box? If it's just the one Windows PC, have you swapped its network card and patch cord and switch port?
*
--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 03-14-2012, 08:02 PM
Rashkae
 
Default IPTables issue

On 03/14/2012 03:58 PM, Hassnain Badami wrote:

Dear all
I am learning IPTables and have been given a problem on our network to diagnose and solve.
Our network infrastructure contains an internet provider line from Colt that feeds into a bandwidth router (provided by our building management) and then Ubuntu 10.04 box running iptables. This firewall is then connected to a switch and we run a local area network of around 20 computers (both Linux and windows).
Our firewall has a certain set of rules enabled. When I try to download a file on the firewall itself everything seems fine. But when I try to download the same file from a windows box behind the firewall, it starts well, downloads upto 5 MB, but then interrupts or enormously slows down.
To solve this problem I wrote a small script, first to clean my iptables rules and then to create a few rules that only allow basic configuration. The first script is
Code:echo "Stopping firewall and allowing everyone..."iptables -Fiptables -Xiptables -t nat -Fiptables -t nat -Xiptables -t mangle -Fiptables -t mangle -Xiptables -P INPUT ACCEPTiptables -P FORWARD ACCEPTiptables -P OUTPUT ACCEPT
The second script only allows for basic rules to be setup and is as follows (eth0 is lan and eth5 is WAN)
Code:iptables -A FORWARD -i eth0 -o eth5 -j ACCEPTiptables -t nat -A POSTROUTING -o eth5 -j MASQUERADEiptables -A FORWARD -i eth5 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
Using the 2nd script I can browse fine, but any downloads on the lan box again slow down or interrupt.



An interesting puzzle indeed. Further to compdoc's questions, have you
tried downloading a file directly from your firewall box to the lan
clients? (might have to install an ftp server on the firewall to test.
What protocol(s) have you tested that trigger this error with downloads?
(http, https, ftp, etc.)


From reading your description, I get the feeling that the 'Bandwidth'
router is itself a NAT device, and therefore your firewall as a
non-routable IP address for eth5 (usually in the 10.x.x.x or 192.168.x.x
range.) Can you confirm this? It would be important in that kind of
setup that your eth0 be in a different subnet entirely.





--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 03-14-2012, 08:10 PM
Ric Moore
 
Default IPTables issue

On 03/14/2012 05:02 PM, Rashkae wrote:

On 03/14/2012 03:58 PM, Hassnain Badami wrote:

Dear all
I am learning IPTables and have been given a problem on our network to
diagnose and solve.
Our network infrastructure contains an internet provider line from
Colt that feeds into a bandwidth router (provided by our building
management) and then Ubuntu 10.04 box running iptables. This firewall
is then connected to a switch and we run a local area network of
around 20 computers (both Linux and windows).
Our firewall has a certain set of rules enabled. When I try to
download a file on the firewall itself everything seems fine. But when
I try to download the same file from a windows box behind the
firewall, it starts well, downloads upto 5 MB, but then interrupts or
enormously slows down.
To solve this problem I wrote a small script, first to clean my
iptables rules and then to create a few rules that only allow basic
configuration. The first script is
Code:echo "Stopping firewall and allowing everyone..."iptables
-Fiptables -Xiptables -t nat -Fiptables -t nat -Xiptables -t mangle
-Fiptables -t mangle -Xiptables -P INPUT ACCEPTiptables -P FORWARD
ACCEPTiptables -P OUTPUT ACCEPT
The second script only allows for basic rules to be setup and is as
follows (eth0 is lan and eth5 is WAN)
Code:iptables -A FORWARD -i eth0 -o eth5 -j ACCEPTiptables -t nat -A
POSTROUTING -o eth5 -j MASQUERADEiptables -A FORWARD -i eth5 -o eth0
-m state --state RELATED,ESTABLISHED -j ACCEPT
Using the 2nd script I can browse fine, but any downloads on the lan
box again slow down or interrupt.



An interesting puzzle indeed. Further to compdoc's questions, have you
tried downloading a file directly from your firewall box to the lan
clients? (might have to install an ftp server on the firewall to test.
What protocol(s) have you tested that trigger this error with downloads?
(http, https, ftp, etc.)

From reading your description, I get the feeling that the 'Bandwidth'
router is itself a NAT device, and therefore your firewall as a
non-routable IP address for eth5 (usually in the 10.x.x.x or 192.168.x.x
range.) Can you confirm this? It would be important in that kind of
setup that your eth0 be in a different subnet entirely.



This may or might not be relevant, but with my HughesNet sat setup, if I
download something already compressed, the built-in compression feature
to the Hughsnet Modem kills it. I have to decommission that feature to
download java applets that are pre-compressed. Weird. It took awhile to
find it. Hughes techs suggest it is a feature and that my software is at
fault. Go figure. I just want the damn thing to bring content from "out
there" to "right here". The modem gets in the way. Your problem might
prove to be just as weird and obscure. Ric




--
My father, Victor Moore (Vic) used to say:
"There are two Great Sins in the world...
..the Sin of Ignorance, and the Sin of Stupidity.
Only the former may be overcome." R.I.P. Dad.
http://linuxcounter.net/user/44256.html

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 03-15-2012, 09:42 AM
Hassnain Badami
 
Default IPTables issue

Dear all

Thank you so much for your replies. I have done some tests and here is an update on them:

1. This behaviour is present on all windows and linux machines on the network.
2. Yes there is a windows anti virus on the windows pc. I have tried the download in both conditions ie anti virus enabled and anti virus disabled, no joy. The linux machine I used in the test has no anti virus.
3. There is no antivirus on the ubuntu firewall box.
4. Yes I have tried to download a file from the firewall box to the lan box using scp. It downloads fine.
5. I tried to download files over the internet over http, https and ftp, all have the same problem.
6. The building management has explained to me that the bandwidth router is just a bandwidth modulator that is being used to give us 8 Mbps connection. It doesnt do any NAT or anything funny. So my firewall has an external IP. Additionally this setup was working till last week (March 7) and all of a sudden it has stopped.
7. I dont think swapping the network card and patch cord in the UBuntu box will do much as my firewall can download files well over the internet successfully and a lan box can in turn download the file from the firewall successfully. That tells me that network card ports are OK. I even tried putting an ubuntu VM on another network, via a different network card port on the firewall and still the same behaviour.
8. I observed something I have never seen before. I dont see any packets being dropped on the firewall eth5 port in iptables log. I did tcp dump and observed the same phenomena. It appears to me that all of a sudden data packets stop coming into the network and as a result the download is rarely reset and the speed goes undefined as below. Mostly I think it keeps on waiting for more data but it never comes through. This is what I see on the console

user@ophelia:~$ wget --no-cache http://download.oracle.com/otn-pub/java/jdk/7u3-b04/jdk-7u3-linux-x64.tar.gz
--2012-03-15 10:27:08--* http://download.oracle.com/otn-pub/java/jdk/7u3-b04/jdk-7u3-linux-x64.tar.gz
Resolving download.oracle.com... 92.122.127.242, 92.122.126.241
Connecting to download.oracle.com|92.122.127.242|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 81056556 (77M) [application/x-gzip]
Saving to: `jdk-7u3-linux-x64.tar.gz'

*2% [===>********************************************** ************************************************** ************************************************** *************** ] 2,426,571** --.-K/s* eta 10m 0s

On chrome it says Interrupted.

9. I think its an issue with the NAT or may be the bandwidth router. NAT because its the only difference between a download happening on the firewall box and the download on a client. May be the ISP is doing deep packet inspection and disallowing NAT but then why allow 2% of the download to complete. Bandwidth router may be because once the download starts and it tries to take the full bandwidth, the router modulates it and crops all the packets hence I see no packets on the firewall. But I can only make assumptions at this point in time.

Please let me know your thoughts on this and once again thanks for your reply.

Hassnain.




> Date: Wed, 14 Mar 2012 17:10:34 -0400
> From: wayward4now@gmail.com
> To: ubuntu-users@lists.ubuntu.com
> Subject: Re: IPTables issue
>
> On 03/14/2012 05:02 PM, Rashkae wrote:
> > On 03/14/2012 03:58 PM, Hassnain Badami wrote:
> >> Dear all
> >> I am learning IPTables and have been given a problem on our network to
> >> diagnose and solve.
> >> Our network infrastructure contains an internet provider line from
> >> Colt that feeds into a bandwidth router (provided by our building
> >> management) and then Ubuntu 10.04 box running iptables. This firewall
> >> is then connected to a switch and we run a local area network of
> >> around 20 computers (both Linux and windows).
> >> Our firewall has a certain set of rules enabled. When I try to
> >> download a file on the firewall itself everything seems fine. But when
> >> I try to download the same file from a windows box behind the
> >> firewall, it starts well, downloads upto 5 MB, but then interrupts or
> >> enormously slows down.
> >> To solve this problem I wrote a small script, first to clean my
> >> iptables rules and then to create a few rules that only allow basic
> >> configuration. The first script is
> >> Code:echo "Stopping firewall and allowing everyone..."iptables
> >> -Fiptables -Xiptables -t nat -Fiptables -t nat -Xiptables -t mangle
> >> -Fiptables -t mangle -Xiptables -P INPUT ACCEPTiptables -P FORWARD
> >> ACCEPTiptables -P OUTPUT ACCEPT
> >> The second script only allows for basic rules to be setup and is as
> >> follows (eth0 is lan and eth5 is WAN)
> >> Code:iptables -A FORWARD -i eth0 -o eth5 -j ACCEPTiptables -t nat -A
> >> POSTROUTING -o eth5 -j MASQUERADEiptables -A FORWARD -i eth5 -o eth0
> >> -m state --state RELATED,ESTABLISHED -j ACCEPT
> >> Using the 2nd script I can browse fine, but any downloads on the lan
> >> box again slow down or interrupt.
> >>
> >
> > An interesting puzzle indeed. Further to compdoc's questions, have you
> > tried downloading a file directly from your firewall box to the lan
> > clients? (might have to install an ftp server on the firewall to test.
> > What protocol(s) have you tested that trigger this error with downloads?
> > (http, https, ftp, etc.)
> >
> > From reading your description, I get the feeling that the 'Bandwidth'
> > router is itself a NAT device, and therefore your firewall as a
> > non-routable IP address for eth5 (usually in the 10.x.x.x or 192.168.x.x
> > range.) Can you confirm this? It would be important in that kind of
> > setup that your eth0 be in a different subnet entirely.
>
>
> This may or might not be relevant, but with my HughesNet sat setup, if I
> download something already compressed, the built-in compression feature
> to the Hughsnet Modem kills it. I have to decommission that feature to
> download java applets that are pre-compressed. Weird. It took awhile to
> find it. Hughes techs suggest it is a feature and that my software is at
> fault. Go figure. I just want the damn thing to bring content from "out
> there" to "right here". The modem gets in the way. Your problem might
> prove to be just as weird and obscure. Ric
>
>
>
> --
> My father, Victor Moore (Vic) used to say:
> "There are two Great Sins in the world...
> ..the Sin of Ignorance, and the Sin of Stupidity.
> Only the former may be overcome." R.I.P. Dad.
> http://linuxcounter.net/user/44256.html
>
> --
> ubuntu-users mailing list
> ubuntu-users@lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 03-24-2012, 05:52 PM
Hassnain Badami
 
Default IPTables issue

Hi all

Further to this issue I can download a big file on the firewall box, no problem, and then I can download the same file from the firewall box using scp and ftp again no problem.

In order to rule out the firewall hardware issue totally, i did set up another box with the same iptables code and I see the same behaviour, the client unable to download large files. The browsing works fine though. The big file download stops abruptly after downloading few MBs of data.

I have also tried to use another firewall (non iptables based) on the same connection and it works fine, hence I think its not an isp or a provider issue. Can iptables or the kernel be the culprit here? May be some packets are being sent out that instruct the source site to stop packet transfer. As say this because I ran tcpdump on the firewall and saw that after a few packets there are no data packets passing between the client and the server.

To test I have used 3 browsers, IE, firefox, chrome and also used wget on another linux terminal in my LAN.

I am very confused about this behaviour. How should I go towards a solution, please advise.

thanks

Hass.

From: hrb_14@hotmail.com
To: ubuntu-users@lists.ubuntu.com
Subject: RE: IPTables issue
Date: Thu, 15 Mar 2012 10:42:42 +0000







Dear all

Thank you so much for your replies. I have done some tests and here is an update on them:

1. This behaviour is present on all windows and linux machines on the network.
2. Yes there is a windows anti virus on the windows pc. I have tried the download in both conditions ie anti virus enabled and anti virus disabled, no joy. The linux machine I used in the test has no anti virus.
3. There is no antivirus on the ubuntu firewall box.
4. Yes I have tried to download a file from the firewall box to the lan box using scp. It downloads fine.
5. I tried to download files over the internet over http, https and ftp, all have the same problem.
6. The building management has explained to me that the bandwidth router is just a bandwidth modulator that is being used to give us 8 Mbps connection. It doesnt do any NAT or anything funny. So my firewall has an external IP. Additionally this setup was working till last week (March 7) and all of a sudden it has stopped.
7. I dont think swapping the network card and patch cord in the UBuntu box will do much as my firewall can download files well over the internet successfully and a lan box can in turn download the file from the firewall successfully. That tells me that network card ports are OK. I even tried putting an ubuntu VM on another network, via a different network card port on the firewall and still the same behaviour.
8. I observed something I have never seen before. I dont see any packets being dropped on the firewall eth5 port in iptables log. I did tcp dump and observed the same phenomena. It appears to me that all of a sudden data packets stop coming into the network and as a result the download is rarely reset and the speed goes undefined as below. Mostly I think it keeps on waiting for more data but it never comes through. This is what I see on the console

user@ophelia:~$ wget --no-cache http://download.oracle.com/otn-pub/java/jdk/7u3-b04/jdk-7u3-linux-x64.tar.gz
--2012-03-15 10:27:08--* http://download.oracle.com/otn-pub/java/jdk/7u3-b04/jdk-7u3-linux-x64.tar.gz
Resolving download.oracle.com... 92.122.127.242, 92.122.126.241
Connecting to download.oracle.com|92.122.127.242|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 81056556 (77M) [application/x-gzip]
Saving to: `jdk-7u3-linux-x64.tar.gz'

*2% [===>********************************************** ************************************************** ************************************************** *************** ] 2,426,571** --.-K/s* eta 10m 0s

On chrome it says Interrupted.

9. I think its an issue with the NAT or may be the bandwidth router. NAT because its the only difference between a download happening on the firewall box and the download on a client. May be the ISP is doing deep packet inspection and disallowing NAT but then why allow 2% of the download to complete. Bandwidth router may be because once the download starts and it tries to take the full bandwidth, the router modulates it and crops all the packets hence I see no packets on the firewall. But I can only make assumptions at this point in time.

Please let me know your thoughts on this and once again thanks for your reply.

Hassnain.




> Date: Wed, 14 Mar 2012 17:10:34 -0400
> From: wayward4now@gmail.com
> To: ubuntu-users@lists.ubuntu.com
> Subject: Re: IPTables issue
>
> On 03/14/2012 05:02 PM, Rashkae wrote:
> > On 03/14/2012 03:58 PM, Hassnain Badami wrote:
> >> Dear all
> >> I am learning IPTables and have been given a problem on our network to
> >> diagnose and solve.
> >> Our network infrastructure contains an internet provider line from
> >> Colt that feeds into a bandwidth router (provided by our building
> >> management) and then Ubuntu 10.04 box running iptables. This firewall
> >> is then connected to a switch and we run a local area network of
> >> around 20 computers (both Linux and windows).
> >> Our firewall has a certain set of rules enabled. When I try to
> >> download a file on the firewall itself everything seems fine. But when
> >> I try to download the same file from a windows box behind the
> >> firewall, it starts well, downloads upto 5 MB, but then interrupts or
> >> enormously slows down.
> >> To solve this problem I wrote a small script, first to clean my
> >> iptables rules and then to create a few rules that only allow basic
> >> configuration. The first script is
> >> Code:echo "Stopping firewall and allowing everyone..."iptables
> >> -Fiptables -Xiptables -t nat -Fiptables -t nat -Xiptables -t mangle
> >> -Fiptables -t mangle -Xiptables -P INPUT ACCEPTiptables -P FORWARD
> >> ACCEPTiptables -P OUTPUT ACCEPT
> >> The second script only allows for basic rules to be setup and is as
> >> follows (eth0 is lan and eth5 is WAN)
> >> Code:iptables -A FORWARD -i eth0 -o eth5 -j ACCEPTiptables -t nat -A
> >> POSTROUTING -o eth5 -j MASQUERADEiptables -A FORWARD -i eth5 -o eth0
> >> -m state --state RELATED,ESTABLISHED -j ACCEPT
> >> Using the 2nd script I can browse fine, but any downloads on the lan
> >> box again slow down or interrupt.
> >>
> >
> > An interesting puzzle indeed. Further to compdoc's questions, have you
> > tried downloading a file directly from your firewall box to the lan
> > clients? (might have to install an ftp server on the firewall to test.
> > What protocol(s) have you tested that trigger this error with downloads?
> > (http, https, ftp, etc.)
> >
> > From reading your description, I get the feeling that the 'Bandwidth'
> > router is itself a NAT device, and therefore your firewall as a
> > non-routable IP address for eth5 (usually in the 10.x.x.x or 192.168.x.x
> > range.) Can you confirm this? It would be important in that kind of
> > setup that your eth0 be in a different subnet entirely.
>
>
> This may or might not be relevant, but with my HughesNet sat setup, if I
> download something already compressed, the built-in compression feature
> to the Hughsnet Modem kills it. I have to decommission that feature to
> download java applets that are pre-compressed. Weird. It took awhile to
> find it. Hughes techs suggest it is a feature and that my software is at
> fault. Go figure. I just want the damn thing to bring content from "out
> there" to "right here". The modem gets in the way. Your problem might
> prove to be just as weird and obscure. Ric
>
>
>
> --
> My father, Victor Moore (Vic) used to say:
> "There are two Great Sins in the world...
> ..the Sin of Ignorance, and the Sin of Stupidity.
> Only the former may be overcome." R.I.P. Dad.
> http://linuxcounter.net/user/44256.html
>
> --
> ubuntu-users mailing list
> ubuntu-users@lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 07:25 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org