/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Hello Rami,
I think I have figured my problem out.
The ipchains howto says that in order for masquerading to work you have to
issue echo "1" > /proc/sys/net/ipv4/ip_always_defrag, which I do in my
firewall script.
For every new masqed connection this parameter is incremented with 1. If
the masqed connection is closed/timed out , this value is decremented with
1.
Now the problem arises when you re-initialise this ip_always_defrag
parameter to 1 while you allready have some masq connections open.(For
example if you have script to set your ipchains rules and this script also
happens to have the initialisation part like mine had. :() If the open
masqed connections time out, the ip_always_defrag value will be decremented
and at a certain time will become 0 and even go negative. If there's a
packet received by ipchains while this value is 0 it will not be passed by
your ipchains rule and you get a deny message like follows :
Jan 3 16:16:21 server kernel: Packet log: output DENY eth0 PROTO=6
x.x.x.x:65535 x.x.x.x:65535 L=48 S=0xE8 I=38264 F=0x40B2 T=127 SYN (#?)
In the ipchains howto there's some talk about fragmented packets on how they
can even crash your machine. This is exactly what I also experienced. My
linux would just hang at random times, shortly after I start receiving those
error messages.
Solution is not the change ip_always_defrag while masqed connections are
open, or initialise it at a high value.
Regards,
Werner
-----Original Message-----
From: Rami AlZaid [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 05, 2001 5:57 PM
To: Brockhoven, Werner
Subject: Re: [Masq] IPCHAINS in kernel 2.2.18 functionality
I Think I'm having the same problem. I use pppoe and 2.2.18 as well and
after a day or two I can't connect to anything from the linux machine until
I reboot. I am able to connect from the masqueraded machines normally
though. I've had this problem since 2.2.17 but I'm not sure if it was from
the kernel or not since I just used pppoe with 2.2.17 and 2.2.18.
Anyone knows what's going on?
At 05:02 AM 1/5/2001, you wrote:
>Hello all,
>
>Since I upgraded to kernel 2.2.18(no fancy stuff except firewall and
>masquerading included) I've noticed the following behaviour/bug with
>ipchains/ipmasq
>
>After the system has been rebooted there's is no problem. After having run
>for about a day and depending on how much data has been transfered from the
>inside, I get lots of denied packets where it says that both src and dst
>port are 65535.
>
>Here's what a typical message looks like(reconstructed as I do not have
>access to my exact logs)
>
>messages:Jan 3 16:16:21 server kernel: Packet log: output DENY eth0 PROTO=6
>x.x.x.x:65535 x.x.x.x:65535 L=48 S=0x00 I=38264 F=0x40B2 T=127 SYN (#?)
>
>I also get these messages on my input chain, which are also being denied.
>Depending on the direction either source or destination ip is my external
ip
>which is a ppp interface, connection via pppoe(adsl). The other ip is the
>server ip which can be a webserver, ftp server ...
>
>It's normal that these packet are denied as I do not allow access on those
>ports, but I do not understand who is sending these packets. I assume it
>are masq packets from inside, but when ipmasq reaches the highest port and
>has to start using the first available ports again it does not seem to do
so
>very well.
>
>Has anybody seen the same behaviour or can give me any inside on what the
>problem could be ?
>
>Here are the important part of my rules(reconstructed as I do not have
>access to my exact rules)
>
Rami AlZaid <[EMAIL PROTECTED]> * ICQ # 1071118
WebPages: www.alzaid.com * www.kuwait.nu * www.wooyeah.com
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
