Re: 2 nics and traffic delayed/lost on LAN
I think it's probably best to open a bug in lauchpad so we can gather all the information in one place. In addition to the firewall rules (are there any NAT rules, btw?) the output of 'netstat -nr' and 'brctl show' and the network info on the internal guest you are sshing to would be helpful. (The delay when sshing to an internal host appears the most diaganosable specific thing) -serge Quoting Kim Emax (kime...@gmail.com): Hello I've written this post to the netfilter group and have been asked to mail this list instead as people think it might be an Ubuntu specific issue, since rules looks fine and it used to work but hasn't on 12.04, 11.10 and 11.04 Anyone got a clue on the problem or/and a suggestion to a solution? Kind regards Kim __ Hello I have two nics and a DHCP server on my server (192.168.0.1), which iptables controlled fine for years, but when i got a new job and switched to a new server + started working through VPN i saw some problems. I'm having issues with the VPN, i can sit for like 10 minutes an try to make a proper connection with Ciscos anyConnect against the company network, getting all kinds of responses, often not even a connect prompt. The local firewall has been disabled on this PC 192.168.0.132). If i plug this PC straight to the WAN instead of the server, VPN works fine and fast. It seems that the traffic on my internal network somehow is being delayed, for instance SSH, i can wait for 30 seconds before the keystrokes are shown on the screen. I don't recall that was an issue before the VPN issue appeared. Also there seems to be some packageloss, sending 10 packages from the company PC at home to the server/gateway results in packageloss from 10 to 40% Anyone got an idea for this? I've been trying to figure out the problem for some time now and thought i had solved it some months ago, but apparently not. WAN is connected to eth0 and LAN to eth1 LAN is 192.168.0.0/24 chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 LOGtcp -- eth0 * 0.0.0.0/0 0.0.0.0/0tcp dpt:22 state NEW recent: SET name: SSH side: source LOG flags 0 level 7 prefix iptables denied SSH: 0 0 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0tcp dpt:22 state NEW recent: UPDATE seconds: 60 hit_count: 3 TTL-Match name: SSH side: source 0 0 DROP all -- eth0 * 83.133.227.121 0.0.0.0/0 0 0 DROP all -- eth0 * 82.96.90.170 0.0.0.0/0 0 0 DROP all -- eth0 * 93.159.16.170 0.0.0.0/0 22 7257 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0state NEW multiport dports 20,21,22 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0multiport dports 22,80,4000,8080 8 3134 ACCEPT all -- eth1 * 192.168.0.0/24 0.0.0.0/0 0 0 ACCEPT tcp -- * * 212.97.132.102 0.0.0.0/0tcp dpt:3306 0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0udp spt:68 dpt:67 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0udp spt:67 dpt:68 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0tcp dpt:80 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0tcp dpt:8080 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0tcp dpt:443 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0udp dpt:443 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0tcp dpt:443 0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0udp dpt:443 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0tcp dpts:6891:6901 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0udp dpts:6891:6901 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- eth1 * 192.168.0.0/24 192.168.0.0/24 tcp spts:1024:65535 dpt:139 0 0 ACCEPT tcp -- eth1 * 192.168.0.0/24 192.168.0.0/24 tcp spts:1024:65535 dpt:445 0 0 ACCEPT udp -- eth1 * 192.168.0.0/24 192.168.0.0/24 udp spts:1024:65535 dpts:137:138 0 0 ACCEPT udp -- eth1 * 192.168.0.0/24 192.168.0.0/24 udp spts:137:138 dpts:137:138 0 0 ACCEPT tcp -- eth1 * 192.168.0.0/24 192.168.0.0/24 tcp spt:139 dpt:139 0 0 ACCEPT
2 nics and traffic delayed/lost on LAN
Hello I've written this post to the netfilter group and have been asked to mail this list instead as people think it might be an Ubuntu specific issue, since rules looks fine and it used to work but hasn't on 12.04, 11.10 and 11.04 Anyone got a clue on the problem or/and a suggestion to a solution? Kind regards Kim __ Hello I have two nics and a DHCP server on my server (192.168.0.1), which iptables controlled fine for years, but when i got a new job and switched to a new server + started working through VPN i saw some problems. I'm having issues with the VPN, i can sit for like 10 minutes an try to make a proper connection with Ciscos anyConnect against the company network, getting all kinds of responses, often not even a connect prompt. The local firewall has been disabled on this PC 192.168.0.132). If i plug this PC straight to the WAN instead of the server, VPN works fine and fast. It seems that the traffic on my internal network somehow is being delayed, for instance SSH, i can wait for 30 seconds before the keystrokes are shown on the screen. I don't recall that was an issue before the VPN issue appeared. Also there seems to be some packageloss, sending 10 packages from the company PC at home to the server/gateway results in packageloss from 10 to 40% Anyone got an idea for this? I've been trying to figure out the problem for some time now and thought i had solved it some months ago, but apparently not. WAN is connected to eth0 and LAN to eth1 LAN is 192.168.0.0/24 chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 LOGtcp -- eth0 * 0.0.0.0/0 0.0.0.0/0tcp dpt:22 state NEW recent: SET name: SSH side: source LOG flags 0 level 7 prefix iptables denied SSH: 0 0 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0tcp dpt:22 state NEW recent: UPDATE seconds: 60 hit_count: 3 TTL-Match name: SSH side: source 0 0 DROP all -- eth0 * 83.133.227.121 0.0.0.0/0 0 0 DROP all -- eth0 * 82.96.90.170 0.0.0.0/0 0 0 DROP all -- eth0 * 93.159.16.170 0.0.0.0/0 22 7257 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0state NEW multiport dports 20,21,22 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0multiport dports 22,80,4000,8080 8 3134 ACCEPT all -- eth1 * 192.168.0.0/24 0.0.0.0/0 0 0 ACCEPT tcp -- * * 212.97.132.102 0.0.0.0/0tcp dpt:3306 0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0udp spt:68 dpt:67 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0udp spt:67 dpt:68 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0tcp dpt:80 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0tcp dpt:8080 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0tcp dpt:443 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0udp dpt:443 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0tcp dpt:443 0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0udp dpt:443 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0tcp dpts:6891:6901 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0udp dpts:6891:6901 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- eth1 * 192.168.0.0/24 192.168.0.0/24 tcp spts:1024:65535 dpt:139 0 0 ACCEPT tcp -- eth1 * 192.168.0.0/24 192.168.0.0/24 tcp spts:1024:65535 dpt:445 0 0 ACCEPT udp -- eth1 * 192.168.0.0/24 192.168.0.0/24 udp spts:1024:65535 dpts:137:138 0 0 ACCEPT udp -- eth1 * 192.168.0.0/24 192.168.0.0/24 udp spts:137:138 dpts:137:138 0 0 ACCEPT tcp -- eth1 * 192.168.0.0/24 192.168.0.0/24 tcp spt:139 dpt:139 0 0 ACCEPT tcp -- eth1 * 192.168.0.0/24 192.168.0.0/24 tcp spt:445 dpt:445 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0state RELATED,ESTABLISHED 0 0 ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT 9 packets, 630 bytes)