IPTables issue

Ric Moore wayward4now at gmail.com
Wed Mar 14 21:10:34 UTC 2012

On 03/14/2012 05:02 PM, Rashkae wrote:
> On 03/14/2012 03:58 PM, Hassnain Badami wrote:
>> Dear all
>> I am learning IPTables and have been given a problem on our network to
>> diagnose and solve.
>> Our network infrastructure contains an internet provider line from
>> Colt that feeds into a bandwidth router (provided by our building
>> management) and then Ubuntu 10.04 box running iptables. This firewall
>> is then connected to a switch and we run a local area network of
>> around 20 computers (both Linux and windows).
>> Our firewall has a certain set of rules enabled. When I try to
>> download a file on the firewall itself everything seems fine. But when
>> I try to download the same file from a windows box behind the
>> firewall, it starts well, downloads upto 5 MB, but then interrupts or
>> enormously slows down.
>> To solve this problem I wrote a small script, first to clean my
>> iptables rules and then to create a few rules that only allow basic
>> configuration. The first script is
>> Code:echo "Stopping firewall and allowing everyone..."iptables
>> -Fiptables -Xiptables -t nat -Fiptables -t nat -Xiptables -t mangle
>> -Fiptables -t mangle -Xiptables -P INPUT ACCEPTiptables -P FORWARD
>> The second script only allows for basic rules to be setup and is as
>> follows (eth0 is lan and eth5 is WAN)
>> Code:iptables -A FORWARD -i eth0 -o eth5 -j ACCEPTiptables -t nat -A
>> POSTROUTING -o eth5 -j MASQUERADEiptables -A FORWARD -i eth5 -o eth0
>> -m state --state RELATED,ESTABLISHED -j ACCEPT
>> Using the 2nd script I can browse fine, but any downloads on the lan
>> box again slow down or interrupt.
> An interesting puzzle indeed. Further to compdoc's questions, have you
> tried downloading a file directly from your firewall box to the lan
> clients? (might have to install an ftp server on the firewall to test.
> What protocol(s) have you tested that trigger this error with downloads?
> (http, https, ftp, etc.)
>  From reading your description, I get the feeling that the 'Bandwidth'
> router is itself a NAT device, and therefore your firewall as a
> non-routable IP address for eth5 (usually in the 10.x.x.x or 192.168.x.x
> range.) Can you confirm this? It would be important in that kind of
> setup that your eth0 be in a different subnet entirely.

This may or might not be relevant, but with my HughesNet sat setup, if I 
download something already compressed, the built-in compression feature 
to the Hughsnet Modem kills it. I have to decommission that feature to 
download java applets that are pre-compressed. Weird. It took awhile to 
find it. Hughes techs suggest it is a feature and that my software is at 
fault. Go figure. I just want the damn thing to bring content from "out 
there" to "right here". The modem gets in the way. Your problem might 
prove to be just as weird and obscure. Ric

My father, Victor Moore (Vic) used to say:
"There are two Great Sins in the world...
..the Sin of Ignorance, and the Sin of Stupidity.
Only the former may be overcome." R.I.P. Dad.

More information about the ubuntu-users mailing list