ubuntu at tigershaunt.com
Wed Mar 14 21:02:33 UTC 2012
On 03/14/2012 03:58 PM, Hassnain Badami wrote:
> Dear all
> I am learning IPTables and have been given a problem on our network to diagnose and solve.
> Our network infrastructure contains an internet provider line from Colt that feeds into a bandwidth router (provided by our building management) and then Ubuntu 10.04 box running iptables. This firewall is then connected to a switch and we run a local area network of around 20 computers (both Linux and windows).
> Our firewall has a certain set of rules enabled. When I try to download a file on the firewall itself everything seems fine. But when I try to download the same file from a windows box behind the firewall, it starts well, downloads upto 5 MB, but then interrupts or enormously slows down.
> To solve this problem I wrote a small script, first to clean my iptables rules and then to create a few rules that only allow basic configuration. The first script is
> Code:echo "Stopping firewall and allowing everyone..."iptables -Fiptables -Xiptables -t nat -Fiptables -t nat -Xiptables -t mangle -Fiptables -t mangle -Xiptables -P INPUT ACCEPTiptables -P FORWARD ACCEPTiptables -P OUTPUT ACCEPT
> The second script only allows for basic rules to be setup and is as follows (eth0 is lan and eth5 is WAN)
> Code:iptables -A FORWARD -i eth0 -o eth5 -j ACCEPTiptables -t nat -A POSTROUTING -o eth5 -j MASQUERADEiptables -A FORWARD -i eth5 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> Using the 2nd script I can browse fine, but any downloads on the lan box again slow down or interrupt.
An interesting puzzle indeed. Further to compdoc's questions, have you
tried downloading a file directly from your firewall box to the lan
clients? (might have to install an ftp server on the firewall to test.
What protocol(s) have you tested that trigger this error with downloads?
(http, https, ftp, etc.)
From reading your description, I get the feeling that the 'Bandwidth'
router is itself a NAT device, and therefore your firewall as a
non-routable IP address for eth5 (usually in the 10.x.x.x or 192.168.x.x
range.) Can you confirm this? It would be important in that kind of
setup that your eth0 be in a different subnet entirely.
More information about the ubuntu-users