<html> <head> <style></style></head> <body class='hmmessage'><div dir='ltr'> Hi all Further to this issue I can download a big file on the firewall box, no problem, and then I can download the same file from the firewall box using scp and ftp again no problem. In order to rule out the firewall hardware issue totally, i did set up another box with the same iptables code and I see the same behaviour, the client unable to download large files. The browsing works fine though. The big file download stops abruptly after downloading few MBs of data. I have also tried to use another firewall (non iptables based) on the same connection and it works fine, hence I think its not an isp or a provider issue. Can iptables or the kernel be the culprit here? May be some packets are being sent out that instruct the source site to stop packet transfer. As say this because I ran tcpdump on the firewall and saw that after a few packets there are no data packets passing between the client and the server. To test I have used 3 browsers, IE, firefox, chrome and also used wget on another linux terminal in my LAN. I am very confused about this behaviour. How should I go towards a solution, please advise. thanks Hass. <div><div id="SkyDrivePlaceholder"></div><hr id="stopSpelling">From: hrb_14@hotmail.com To: ubuntu-users@lists.ubuntu.com Subject: RE: IPTables issue Date: Thu, 15 Mar 2012 10:42:42 +0000 <meta http-equiv="Content-Type" content="text/html; charset=unicode"> <meta name="Generator" content="Microsoft SafeHTML"> <style> .ExternalClass .ecxhmmessage P {padding:0px;} .ExternalClass body.ecxhmmessage {font-size:10pt;font-family:Tahoma;} </style> <div dir="ltr"> Dear all Thank you so much for your replies. I have done some tests and here is an update on them: 1. This behaviour is present on all windows and linux machines on the network. 2. Yes there is a windows anti virus on the windows pc. I have tried the download in both conditions ie anti virus enabled and anti virus disabled, no joy. The linux machine I used in the test has no anti virus. 3. There is no antivirus on the ubuntu firewall box. 4. Yes I have tried to download a file from the firewall box to the lan box using scp. It downloads fine. 5. I tried to download files over the internet over http, https and ftp, all have the same problem. 6. The building management has explained to me that the bandwidth router is just a bandwidth modulator that is being used to give us 8 Mbps connection. It doesnt do any NAT or anything funny. So my firewall has an external IP. Additionally this setup was working till last week (March 7) and all of a sudden it has stopped. 7. I dont think swapping the network card and patch cord in the UBuntu box will do much as my firewall can download files well over the internet successfully and a lan box can in turn download the file from the firewall successfully. That tells me that network card ports are OK. I even tried putting an ubuntu VM on another network, via a different network card port on the firewall and still the same behaviour. 8. I observed something I have never seen before. I dont see any packets being dropped on the firewall eth5 port in iptables log. I did tcp dump and observed the same phenomena. It appears to me that all of a sudden data packets stop coming into the network and as a result the download is rarely reset and the speed goes undefined as below. Mostly I think it keeps on waiting for more data but it never comes through. This is what I see on the console user@ophelia:~$ wget --no-cache http://download.oracle.com/otn-pub/java/jdk/7u3-b04/jdk-7u3-linux-x64.tar.gz --2012-03-15 10:27:08-- http://download.oracle.com/otn-pub/java/jdk/7u3-b04/jdk-7u3-linux-x64.tar.gz Resolving download.oracle.com... 92.122.127.242, 92.122.126.241 Connecting to download.oracle.com|92.122.127.242|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 81056556 (77M) [application/x-gzip] Saving to: `jdk-7u3-linux-x64.tar.gz' 2% [===> ] 2,426,571 --.-K/s eta 10m 0s On chrome it says Interrupted. 9. I think its an issue with the NAT or may be the bandwidth router. NAT because its the only difference between a download happening on the firewall box and the download on a client. May be the ISP is doing deep packet inspection and disallowing NAT but then why allow 2% of the download to complete. Bandwidth router may be because once the download starts and it tries to take the full bandwidth, the router modulates it and crops all the packets hence I see no packets on the firewall. But I can only make assumptions at this point in time. Please let me know your thoughts on this and once again thanks for your reply. Hassnain. <div><div id="ecxSkyDrivePlaceholder"></div>> Date: Wed, 14 Mar 2012 17:10:34 -0400 > From: wayward4now@gmail.com > To: ubuntu-users@lists.ubuntu.com > Subject: Re: IPTables issue > > On 03/14/2012 05:02 PM, Rashkae wrote: > > On 03/14/2012 03:58 PM, Hassnain Badami wrote: > >> Dear all > >> I am learning IPTables and have been given a problem on our network to > >> diagnose and solve. > >> Our network infrastructure contains an internet provider line from > >> Colt that feeds into a bandwidth router (provided by our building > >> management) and then Ubuntu 10.04 box running iptables. This firewall > >> is then connected to a switch and we run a local area network of > >> around 20 computers (both Linux and windows). > >> Our firewall has a certain set of rules enabled. When I try to > >> download a file on the firewall itself everything seems fine. But when > >> I try to download the same file from a windows box behind the > >> firewall, it starts well, downloads upto 5 MB, but then interrupts or > >> enormously slows down. > >> To solve this problem I wrote a small script, first to clean my > >> iptables rules and then to create a few rules that only allow basic > >> configuration. The first script is > >> Code:echo "Stopping firewall and allowing everyone..."iptables > >> -Fiptables -Xiptables -t nat -Fiptables -t nat -Xiptables -t mangle > >> -Fiptables -t mangle -Xiptables -P INPUT ACCEPTiptables -P FORWARD > >> ACCEPTiptables -P OUTPUT ACCEPT > >> The second script only allows for basic rules to be setup and is as > >> follows (eth0 is lan and eth5 is WAN) > >> Code:iptables -A FORWARD -i eth0 -o eth5 -j ACCEPTiptables -t nat -A > >> POSTROUTING -o eth5 -j MASQUERADEiptables -A FORWARD -i eth5 -o eth0 > >> -m state --state RELATED,ESTABLISHED -j ACCEPT > >> Using the 2nd script I can browse fine, but any downloads on the lan > >> box again slow down or interrupt. > >> > > > > An interesting puzzle indeed. Further to compdoc's questions, have you > > tried downloading a file directly from your firewall box to the lan > > clients? (might have to install an ftp server on the firewall to test. > > What protocol(s) have you tested that trigger this error with downloads? > > (http, https, ftp, etc.) > > > > From reading your description, I get the feeling that the 'Bandwidth' > > router is itself a NAT device, and therefore your firewall as a > > non-routable IP address for eth5 (usually in the 10.x.x.x or 192.168.x.x > > range.) Can you confirm this? It would be important in that kind of > > setup that your eth0 be in a different subnet entirely. > > > This may or might not be relevant, but with my HughesNet sat setup, if I > download something already compressed, the built-in compression feature > to the Hughsnet Modem kills it. I have to decommission that feature to > download java applets that are pre-compressed. Weird. It took awhile to > find it. Hughes techs suggest it is a feature and that my software is at > fault. Go figure. I just want the damn thing to bring content from "out > there" to "right here". The modem gets in the way. Your problem might > prove to be just as weird and obscure. Ric > > > > -- > My father, Victor Moore (Vic) used to say: > "There are two Great Sins in the world... > ..the Sin of Ignorance, and the Sin of Stupidity. > Only the former may be overcome." R.I.P. Dad. > http://linuxcounter.net/user/44256.html > > -- > ubuntu-users mailing list > ubuntu-users@lists.ubuntu.com > Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users </div> </div> -- ubuntu-users mailing list ubuntu-users@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users</div> </div></body> </html>