IPTables issue

[Hassnain Badami]

Dear all

Thank you so much for your replies. I have done some tests and here is an update on them:

1. This behaviour is present on all windows and linux machines on the network.
2. Yes there is a windows anti virus on the windows pc. I have tried the download in both conditions ie anti virus enabled and anti virus disabled, no joy. The linux machine I used in the test has no anti virus.
3. There is no antivirus on the ubuntu firewall box.
4. Yes I have tried to download a file from the firewall box to the lan box using scp. It downloads fine.
5. I tried to download files over the internet over http, https and ftp, all have the same problem.
6. The building management has explained to me that the bandwidth router is just a bandwidth modulator that is being used to give us 8 Mbps connection. It doesnt do any NAT or anything funny. So my firewall has an external IP. Additionally this setup was working till last week (March 7) and all of a sudden it has stopped.
7. I dont think swapping the network card and patch cord in the UBuntu box will do much as my firewall can download files well over the internet successfully and a lan box can in turn download the file from the firewall successfully. That tells me that network card ports are OK. I even tried putting an ubuntu VM on another network, via a different network card port on the firewall and still the same behaviour.
8. I observed something I have never seen before. I dont see any packets being dropped on the firewall eth5 port in iptables log. I did tcp dump and observed the same phenomena. It appears to me that all of a sudden data packets stop coming into the network and as a result the download is rarely reset and the speed goes undefined as below. Mostly I think it keeps on waiting for more data but it never comes through. This is what I see on the console

user at ophelia:~$ wget --no-cache http://download.oracle.com/otn-pub/java/jdk/7u3-b04/jdk-7u3-linux-x64.tar.gz
--2012-03-15 10:27:08--  http://download.oracle.com/otn-pub/java/jdk/7u3-b04/jdk-7u3-linux-x64.tar.gz
Resolving download.oracle.com... 92.122.127.242, 92.122.126.241
Connecting to download.oracle.com|92.122.127.242|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 81056556 (77M) [application/x-gzip]
Saving to: `jdk-7u3-linux-x64.tar.gz'

 2% [===>                                                                                                                                                                  ] 2,426,571   --.-K/s  eta 10m 0s

On chrome it says Interrupted.

9. I think its an issue with the NAT or may be the bandwidth router. NAT because its the only difference between a download happening on the firewall box and the download on a client. May be the ISP is doing deep packet inspection and disallowing NAT but then why allow 2% of the download to complete. Bandwidth router may be because once the download starts and it tries to take the full bandwidth, the router modulates it and crops all the packets hence I see no packets on the firewall. But I can only make assumptions at this point in time.

Please let me know your thoughts on this and once again thanks for your reply.

Hassnain.




> Date: Wed, 14 Mar 2012 17:10:34 -0400
> From: wayward4now at gmail.com
> To: ubuntu-users at lists.ubuntu.com
> Subject: Re: IPTables issue
> 
> On 03/14/2012 05:02 PM, Rashkae wrote:
> > On 03/14/2012 03:58 PM, Hassnain Badami wrote:
> >> Dear all
> >> I am learning IPTables and have been given a problem on our network to
> >> diagnose and solve.
> >> Our network infrastructure contains an internet provider line from
> >> Colt that feeds into a bandwidth router (provided by our building
> >> management) and then Ubuntu 10.04 box running iptables. This firewall
> >> is then connected to a switch and we run a local area network of
> >> around 20 computers (both Linux and windows).
> >> Our firewall has a certain set of rules enabled. When I try to
> >> download a file on the firewall itself everything seems fine. But when
> >> I try to download the same file from a windows box behind the
> >> firewall, it starts well, downloads upto 5 MB, but then interrupts or
> >> enormously slows down.
> >> To solve this problem I wrote a small script, first to clean my
> >> iptables rules and then to create a few rules that only allow basic
> >> configuration. The first script is
> >> Code:echo "Stopping firewall and allowing everyone..."iptables
> >> -Fiptables -Xiptables -t nat -Fiptables -t nat -Xiptables -t mangle
> >> -Fiptables -t mangle -Xiptables -P INPUT ACCEPTiptables -P FORWARD
> >> ACCEPTiptables -P OUTPUT ACCEPT
> >> The second script only allows for basic rules to be setup and is as
> >> follows (eth0 is lan and eth5 is WAN)
> >> Code:iptables -A FORWARD -i eth0 -o eth5 -j ACCEPTiptables -t nat -A
> >> POSTROUTING -o eth5 -j MASQUERADEiptables -A FORWARD -i eth5 -o eth0
> >> -m state --state RELATED,ESTABLISHED -j ACCEPT
> >> Using the 2nd script I can browse fine, but any downloads on the lan
> >> box again slow down or interrupt.
> >>
> >
> > An interesting puzzle indeed. Further to compdoc's questions, have you
> > tried downloading a file directly from your firewall box to the lan
> > clients? (might have to install an ftp server on the firewall to test.
> > What protocol(s) have you tested that trigger this error with downloads?
> > (http, https, ftp, etc.)
> >
> >  From reading your description, I get the feeling that the 'Bandwidth'
> > router is itself a NAT device, and therefore your firewall as a
> > non-routable IP address for eth5 (usually in the 10.x.x.x or 192.168.x.x
> > range.) Can you confirm this? It would be important in that kind of
> > setup that your eth0 be in a different subnet entirely.
> 
> 
> This may or might not be relevant, but with my HughesNet sat setup, if I 
> download something already compressed, the built-in compression feature 
> to the Hughsnet Modem kills it. I have to decommission that feature to 
> download java applets that are pre-compressed. Weird. It took awhile to 
> find it. Hughes techs suggest it is a feature and that my software is at 
> fault. Go figure. I just want the damn thing to bring content from "out 
> there" to "right here". The modem gets in the way. Your problem might 
> prove to be just as weird and obscure. Ric
> 
> 
> 
> -- 
> My father, Victor Moore (Vic) used to say:
> "There are two Great Sins in the world...
> ..the Sin of Ignorance, and the Sin of Stupidity.
> Only the former may be overcome." R.I.P. Dad.
> http://linuxcounter.net/user/44256.html
> 
> -- 
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20120315/9aab47a4/attachment.html>