Re: IPTables Problem: I think I figured it out... [was IPTables Established connection Problem]

From: Ian Jones (ian@dsl081-056-052.sfo1.dsl.speakeasy.net)
Date: 12/19/01 

From: Ian Jones <ian@dsl081-056-052.sfo1.dsl.speakeasy.net>
Date: Tue, 18 Dec 2001 17:27:09 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Doubletwist <dontspam.doubletwist@spack.nu> writes:
>
>> Turns out that though my workstation has a public IP, it is routed
>> through three hops that have a private IP. [not sure why]
>>
>> So my server was dropping those connections.
>
> My betting is that something like an ICMP 3/4 `frag required' packet is
> coming back, maybe from one of those routers, and because it's coming from
> a private IP#, conntrack is somehow not relating it to the outgoing
> connection.
>
> Out of interest, and a slightly voodoo suggestion, does dropping your MTU
> to e.g. 576 make any difference?

I'm sure conntrack is not the problem here. I also don't think it has
anything to do with what the IP address is...bits is bits. The system
and the network doesn't really care what the IP address is, public or
private doesn't make a difference to the kernel.

I think it is time to do what should have been done in the first
place:

tcpdump -i eth0 -w debugfile -s 1500

If you can reproduce the problem with the above running we can see
what is actually happening.

If it is a very high traffic link you may want to add a filter to only
grab the interesting stuff...in fact I would do that anyway to make
reading the information back easier, just don't filter out ICMP
messages.

BTW, I know you posted your rule set at some point, but I don't
remember anything about it. Have you ruled that out?

-----BEGIN PGP SIGNATURE-----
Comment: Keeping the world safe for geeks.

iD8DBQE8H+ztwBVKl/Nci0oRAqXUAKDQC0xckF50n0jUK/uv8/7snjWMOACfeZdy
zmK4VYAN93/uC+vRVj8gzmE=
=wjKj
-----END PGP SIGNATURE-----

Relevant Pages

  • Newsman Pro 2.6 Released
    ... Fixed a bug in the MySQL database components that caused ... Added a timer to the hints in the Connections view to ... Optimized the "Get Headers By Date" search algorithm ... Fixed a bug in the Filter Builder that prevented the ...
    (news.software.readers)
  • Re: D-Link 604 Router
    ... > I can filter outbound connections using URL filtering using something ... > firewall software or hardware and no router, ...
    (comp.security.firewalls)
  • Re: IPlate question
    ... since it is just an inductor in the ring wire... ... You'd be better off fitting a faceplate filter, ... output connections on the back, ... And you can't fit an IPlate together with a faceplate filter. ...
    (uk.telecom.broadband)
  • Re: How to "release" a Web part connection filter by code
    ... item from the archive Web Part both Web Part connections will be applied. ... > Desired result is to have a grouped by creation date view at "Grouped ... > WP the second WP connection fires and applies the second filter ... > attached a compressed image of the site to give anybody a glue. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Using Query Strings in FP2003 & Sharepoint
    ... Thanks John for the quick and thorough answer. ... I had thought about connecting Web Parts and now that you have recommended ... > Using Filter will actually be faster than Query Strings, ... > You could also use Web Part Connections, where you would have a Data View ...
    (microsoft.public.frontpage.programming)