Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Connection throught iptables NAT keep disconnects after
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
kamracik
Apprentice
Apprentice


Joined: 01 Apr 2006
Posts: 219
Location: Poland->Lodz

PostPosted: Tue Dec 06, 2011 12:07 pm    Post subject: Connection throught iptables NAT keep disconnects after Reply with quote

Helo,


I have a problem with iptables NAT, with it host gives internet acces to guest (virtual server).

Got rules like:
*nat
-A PREROUTING -d 10.0.2.41 -j DNAT --to-destination 179.16.15.2
-A POSTROUTING -s 179.16.15.0/24 -j SNAT --to-source 10.0.2.41
*filter
-A INPUT -i tap0 -s 179.16.15.0/24 -d 10.0.0.0/8 -j DROP
-A INPUT -i tap0 -s 179.16.15.0/24 -d 179.16.15.1 -j DROP
-A INPUT -i tap0 -s 179.16.15.0/24 -j ACCEPT
-A INPUT -d 179.16.15.2 -j ACCEPT

Nat is between virtual interface eth1:1 and tap0, don't ask why but it's working
that way, also I have tried with physical interfaces but with same results.

Everything is working except that I'm disconnected from guest console (ssh) after long output like links, ls -lha or even mc.
Randomly i can use long output but rarly.

syslog and dmesg are clean, similar tcpdump does show nothing.

I found same problem here:
http://serverfault.com/questions/255183/iptables-forwarding-frequently-disconnecting/338093#338093
But without solution.
Back to top
View user's profile Send private message
chiefbag
Guru
Guru


Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom

PostPosted: Tue Dec 06, 2011 12:53 pm    Post subject: Reply with quote

Try the following setting on the client machine.

Code:
vi /etc/ssh/sshd_config

Code:
 ClientAliveInterval 60
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15969

PostPosted: Wed Dec 07, 2011 3:33 am    Post subject: Reply with quote

Please post the output of iptables-save -c ; /sbin/ip a; /sbin/ip r from the host and guest.
Back to top
View user's profile Send private message
kamracik
Apprentice
Apprentice


Joined: 01 Apr 2006
Posts: 219
Location: Poland->Lodz

PostPosted: Wed Dec 07, 2011 9:38 am    Post subject: Reply with quote

Traffic flow looks like
Host dedicated virtual interface 10.0.2.41/24
Host tap interface 179.16.15.1/24
Guest interface 179.16.15.2/24

->10.0.2.41->179.16.15.2

Iptables rules from host, guest for purpose of this problem doesn't have any kind of rule set.
Below i change ports to 1234 for security reasons and masks not relative to problem ips with description in comments
Code:

# Generated by iptables-save v1.3.5 on Wed Dec  7 10:11:34 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4203:328045]
:RH-Firewall-1-INPUT - [0:0]
[5544:973592] -A INPUT -j RH-Firewall-1-INPUT
[95135:76772406] -A FORWARD -j RH-Firewall-1-INPUT
[1675:96632] -A RH-Firewall-1-INPUT -i lo -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -s 179.16.15.0/255.255.255.0 -d some.local.network.0/255.0.0.0 -i tap0 -j DROP
[0:0] -A RH-Firewall-1-INPUT -s 179.16.15.0/255.255.255.0 -d some.another.local.network/255.255.255.0 -i tap0 -j DROP
[6:360] -A RH-Firewall-1-INPUT -s 179.16.15.0/255.255.255.0 -d 179.16.15.1 -i tap0 -j DROP
[0:0] -A RH-Firewall-1-INPUT -s 179.16.15.0/255.255.255.0 -d ext.ernal.public.ip -i tap0 -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -s 179.16.15.0/255.255.255.0 -d external.restricted.public.network/255.255.255.some -i tap0 -j DROP  #same network as allowed IP above
[36012:2831929] -A RH-Firewall-1-INPUT -s 179.16.15.0/255.255.255.0 -i tap0 -j ACCEPT
[59123:73940477] -A RH-Firewall-1-INPUT -d 179.16.15.2 -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -p esp -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -p ah -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 1234 -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -p udp -m udp --dport 1234 -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1234 -j ACCEPT
[2619:836676] -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[4:244] -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -s some.lo.cal.ip -p tcp -m state --state NEW -m tcp --dport 1234 -j ACCEPT  #Few exacly like this rules
[1240:39680] -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Dec  7 10:11:34 2011
# Generated by iptables-save v1.3.5 on Wed Dec  7 10:11:34 2011
*nat
:PREROUTING ACCEPT [503664:120975436]
:POSTROUTING ACCEPT [2568:135733]
:OUTPUT ACCEPT [2068:107075]
[505:28910] -A PREROUTING -d 10.0.2.41 -j DNAT --to-destination 179.16.15.2
[1440:111042] -A POSTROUTING -s 179.16.15.0/255.255.255.0 -j SNAT --to-source 10.0.2.41
COMMIT
# Completed on Wed Dec  7 10:11:34 2011
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum