Help with an iptables problem (maybe SNAT?)
Dave Herrald
dave@fropa.com
Mon, 3 Dec 2001 11:49:12 -0700 (MST)
Hi all. First off, sorry for the long post, just trying to be thorough.
I recently inherited a network that uses an iptables firewall. Last week
I began experiencing a problem using SNAT to allow the internal desktops
to connect to the Internet. The symptom I have is that HTTP connections
to most web sites hang indefinitely.
Below, I've inlcuded the output from a tcpdump of one of the hanging
transactions. The client is privately addressed (10.10.21.70) and is
behind the firewall. The SNAT "to" address is xxx.yyy.zzz.80. If I'm
interpreting this right, the output shows that the connection begins
normally but after a few packets are received from the server, the server
seems to "start over" re-sending data that has already been acked.
Specifically see lines 20 and 21--the client is acking 4381 and the
server sends 1-1461 again which had been acked earlier in lines 13-14.
Then the two sides go back and forth for a while but no more data is
ever transferred.
If I put a laptop outside the firewall and give it a routable address I
can access all sites, including the Yahoo site featured in the tcpdump
below, just fine. Also, if I configure the internal browsers to use a
squid proxy that lives outside the firewall, everything works.
I tried to include all my configuration info, below. This server also
runs LVS to do some load balancing so the LVS config is also included.
Please remember I inherited this network, I did not build it. I know
there are many things that can/should be done differently and they are
on my to-do list but I have to put out this fire first.
Any help is appreciated :-)
--Dave
#################################################
#
# tcpdump output of a "hung" HTTP connection
#
#################################################
1 08:24:03.424534 eth1 < 10.10.21.70.2388 > maps.vip.dcx.yahoo.com.http: S 3753411904:3753411904(0) win
5840 <mss 1460,sackOK,timestamp 38294599 0,nop,wscale 0> (DF)
2 08:24:03.424610 eth0 > xxx.yyy.zzz.80.2388 > maps.vip.dcx.yahoo.com.http: S 3753411904:3753411904(0) win
5840 <mss 1460,sackOK,timestamp 38294599 0,nop,wscale 0> (DF)
3 08:24:03.477198 eth0 < maps.vip.dcx.yahoo.com.http > xxx.yyy.zzz.80.2388: S 2180038608:2180038608(0)
ack 3753411905 win 17520 <mss 1460> (DF)
4 08:24:03.477237 eth1 > maps.vip.dcx.yahoo.com.http > 10.10.21.70.2388: S 2180038608:2180038608(0)
ack 3753411905 win 17520 <mss 1460> (DF)
5 08:24:03.477356 eth1 < 10.10.21.70.2388 > maps.vip.dcx.yahoo.com.http: . 1:1(0) ack 1 win 5840 (DF)
6 08:24:03.477388 eth0 > xxx.yyy.zzz.80.2388 > maps.vip.dcx.yahoo.com.http: . 1:1(0) ack 1 win 5840 (DF)
7 08:24:03.477600 eth1 < 10.10.21.70.2388 > maps.vip.dcx.yahoo.com.http: P 1:199(198) ack 1 win 5840 (DF)
8 08:24:03.477638 eth0 > xxx.yyy.zzz.80.2388 > maps.vip.dcx.yahoo.com.http: P 1:199(198) ack 1 win 5840 (DF)
9 08:24:03.533992 eth0 < maps.vip.dcx.yahoo.com.http > xxx.yyy.zzz.80.2388: . 1:1461(1460) ack 199 win 17520 (DF)
10 08:24:03.534025 eth1 > maps.vip.dcx.yahoo.com.http > 10.10.21.70.2388: . 1:1461(1460) ack 199 win 17520 (DF)
11 08:24:03.534248 eth0 < maps.vip.dcx.yahoo.com.http > xxx.yyy.zzz.80.2388: . 1461:2921(1460) ack 199 win 17520 (DF)
12 08:24:03.534284 eth1 > maps.vip.dcx.yahoo.com.http > 10.10.21.70.2388: . 1461:2921(1460) ack 199 win 17520 (DF)
13 08:24:03.534412 eth1 < 10.10.21.70.2388 > maps.vip.dcx.yahoo.com.http: . 199:199(0) ack 1461 win 8760 (DF)
14 08:24:03.534440 eth0 > xxx.yyy.zzz.80.2388 > maps.vip.dcx.yahoo.com.http: . 199:199(0) ack 1461 win 8760 (DF)
15 08:24:03.534757 eth0 < maps.vip.dcx.yahoo.com.http > xxx.yyy.zzz.80.2388: . 2921:4381(1460) ack 199 win 17520 (DF)
16 08:24:03.534792 eth1 > maps.vip.dcx.yahoo.com.http > 10.10.21.70.2388: . 2921:4381(1460) ack 199 win 17520 (DF)
17 08:24:03.534913 eth1 < 10.10.21.70.2388 > maps.vip.dcx.yahoo.com.http: . 199:199(0) ack 2921 win 11680 (DF)
18 08:24:03.534942 eth0 > xxx.yyy.zzz.80.2388 > maps.vip.dcx.yahoo.com.http: . 199:199(0) ack 2921 win 11680 (DF)
19 08:24:03.535411 eth1 < 10.10.21.70.2388 > maps.vip.dcx.yahoo.com.http: . 199:199(0) ack 4381 win 14600 (DF)
20 08:24:03.535443 eth0 > xxx.yyy.zzz.80.2388 > maps.vip.dcx.yahoo.com.http: . 199:199(0) ack 4381 win 14600 (DF)
21 08:24:04.526493 eth0 < maps.vip.dcx.yahoo.com.http > xxx.yyy.zzz.80.2388: . 1:1461(1460) ack 199 win 17520 (DF)
22 08:24:04.526525 eth1 > maps.vip.dcx.yahoo.com.http > 10.10.21.70.2388: . 1:1461(1460) ack 199 win 17520 (DF)
23 08:24:04.526906 eth1 < 10.10.21.70.2388 > maps.vip.dcx.yahoo.com.http: . 199:199(0) ack 4381 win 14600 (DF)
24 08:24:04.526942 eth0 > xxx.yyy.zzz.80.2388 > maps.vip.dcx.yahoo.com.http: . 199:199(0) ack 4381 win 14600 (DF)
25 08:24:06.526806 eth0 < maps.vip.dcx.yahoo.com.http > xxx.yyy.zzz.80.2388: . 1:1461(1460) ack 199 win 17520 (DF)
26 08:24:06.526850 eth1 > maps.vip.dcx.yahoo.com.http > 10.10.21.70.2388: . 1:1461(1460) ack 199 win 17520 (DF)
27 08:24:06.527239 eth1 < 10.10.21.70.2388 > maps.vip.dcx.yahoo.com.http: . 199:199(0) ack 4381 win 14600 (DF)
28 08:24:06.527277 eth0 > xxx.yyy.zzz.80.2388 > maps.vip.dcx.yahoo.com.http: . 199:199(0) ack 4381 win 14600 (DF)
29 08:24:06.743982 eth1 < 10.10.21.70.2388 > maps.vip.dcx.yahoo.com.http: F 199:199(0) ack 4381 win 14600 (DF)
30 08:24:06.744011 eth0 > xxx.yyy.zzz.80.2388 > maps.vip.dcx.yahoo.com.http: F 199:199(0) ack 4381 win 14600 (DF)
31 08:24:07.039906 eth1 < 10.10.21.70.2388 > maps.vip.dcx.yahoo.com.http: F 199:199(0) ack 4381 win 14600 (DF)
32 08:24:07.039941 eth0 > xxx.yyy.zzz.80.2388 > maps.vip.dcx.yahoo.com.http: F 199:199(0) ack 4381 win 14600 (DF)
33 08:24:07.639900 eth1 < 10.10.21.70.2388 > maps.vip.dcx.yahoo.com.http: F 199:199(0) ack 4381 win 14600 (DF)
34 08:24:07.639949 eth0 > xxx.yyy.zzz.80.2388 > maps.vip.dcx.yahoo.com.http: F 199:199(0) ack 4381 win 14600 (DF)
35 08:24:08.839884 eth1 < 10.10.21.70.2388 > maps.vip.dcx.yahoo.com.http: F 199:199(0) ack 4381 win 14600 (DF)
36 08:24:08.839922 eth0 > xxx.yyy.zzz.80.2388 > maps.vip.dcx.yahoo.com.http: F 199:199(0) ack 4381 win 14600 (DF)
##########################################
#
# Current iptables rules:
#
##########################################
[root@fw1 ipt-conf]# iptables -t filter -L --line -nv; iptables -t nat -L --line -nv;iptables -t mangle -L --line -nv
Chain INPUT (policy DROP 3 packets, 132 bytes)
num pkts bytes target prot opt in out source destination
1 3855 298K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 0 0 LOG all -f eth0 * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `IPT:FRAG '
3 0 0 DROP all -f eth0 * 0.0.0.0/0 0.0.0.0/0
4 339 251K ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0
5 <sensitive rule removed>
6 0 0 ACCEPT all -- eth1 * 10.200.200.252 0.0.0.0/0
7 512 38908 ACCEPT all -- eth1 * 10.200.200.253 0.0.0.0/0
8 0 0 ACCEPT all -- eth1 * 10.200.200.254 0.0.0.0/0
9 31 2604 ACCEPT all -- eth0 * xxx.yyy.zzz.64/27 0.0.0.0/0
10 174 39235 ACCEPT all -- eth0 * 0.0.0.0/0 xxx.yyy.zzz.80
11 12 612 ACCEPT tcp -- eth1 * 10.200.200.0/24 0.0.0.0/0 tcp dpt:22
12 86 5248 ACCEPT tcp -- eth1 * 10.10.21.0/24 0.0.0.0/0 tcp dpt:22
13 106 6711 ACCEPT all -- eth1 * 10.10.21.70 0.0.0.0/0
14 0 0 ACCEPT icmp -- eth1 * 10.200.200.0/24 0.0.0.0/0
15 2 120 ACCEPT icmp -- eth1 * 10.10.21.0/24 0.0.0.0/0
16 0 0 ACCEPT udp -- eth1 * 10.200.200.0/24 0.0.0.0/0 udp dpt:694
17 4 480 ACCEPT udp -- eth1 * 10.200.200.4 0.0.0.0/0 udp dpt:161
18 0 0 ACCEPT tcp -- eth1 * 10.200.200.4 0.0.0.0/0 tcp dpt:617
19 178 10948 ACCEPT tcp -- eth1 * 10.200.200.0/24 0.0.0.0/0
20 0 0 ACCEPT tcp -- eth0 * mmm.nnn.ooo.ppp 0.0.0.0/0 tcp spt:53 state ESTABLISHED
21 0 0 ACCEPT udp -- eth0 * mmm.nnn.ooo.ppp 0.0.0.0/0 udp spt:53 state ESTABLISHED
22 0 0 ACCEPT tcp -- eth0 * mmm.nnn.ooo.ppp 0.0.0.0/0 tcp spt:53 state ESTABLISHED
23 0 0 ACCEPT udp -- eth0 * mmm.nnn.ooo.ppp 0.0.0.0/0 udp spt:53 state ESTABLISHED
24 0 0 ACCEPT tcp -- eth1 * 10.10.21.70 0.0.0.0/0 tcp spt:53 state ESTABLISHED
25 0 0 ACCEPT udp -- eth1 * 10.10.21.70 0.0.0.0/0 udp spt:53 state ESTABLISHED
26 0 0 ACCEPT tcp -- eth1 * 10.200.200.4 0.0.0.0/0 tcp spt:53 state ESTABLISHED
27 0 0 ACCEPT udp -- eth1 * 10.200.200.4 0.0.0.0/0 udp spt:53 state ESTABLISHED
28 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 state ESTABLISHED
29 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 state ESTABLISHED
30 15 969 ACCEPT tcp -- eth0 * 0.0.0.0/0 xxx.yyy.zzz.66 tcp dpt:80
31 35 3991 ACCEPT tcp -- eth0 * 0.0.0.0/0 xxx.yyy.zzz.66 tcp dpt:443
32 5 200 ACCEPT tcp -- eth0 * 0.0.0.0/0 xxx.yyy.zzz.67 tcp dpt:80
33 128 19010 ACCEPT tcp -- eth0 * 0.0.0.0/0 xxx.yyy.zzz.67 tcp dpt:443
34 0 0 ACCEPT tcp -- eth1 * 10.10.21.0/24 xxx.yyy.zzz.66 tcp dpt:80
35 0 0 ACCEPT tcp -- eth1 * 10.200.200.0/24 xxx.yyy.zzz.66 tcp dpt:80
36 0 0 ACCEPT tcp -- eth1 * 10.10.21.0/24 xxx.yyy.zzz.66 tcp dpt:443
37 0 0 ACCEPT tcp -- eth1 * 10.200.200.0/24 xxx.yyy.zzz.66 tcp dpt:443
38 0 0 ACCEPT tcp -- eth1 * 10.10.21.0/24 xxx.yyy.zzz.67 tcp dpt:80
39 0 0 ACCEPT tcp -- eth1 * 10.200.200.0/24 xxx.yyy.zzz.67 tcp dpt:80
40 0 0 ACCEPT tcp -- eth1 * 10.10.21.0/24 xxx.yyy.zzz.67 tcp dpt:443
41 0 0 ACCEPT tcp -- eth1 * 10.200.200.0/24 xxx.yyy.zzz.67 tcp dpt:443
42 1843 274K ACCEPT tcp -- eth1 * 10.10.21.0/24 10.200.200.169 tcp dpt:80
43 0 0 ACCEPT tcp -- eth1 * 10.200.200.0/24 10.200.200.169 tcp dpt:80
44 3 234 DROP udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
45 0 0 DROP udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
46 3 144 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `IPT:INPUT '
47 3 144 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 57 47996 ACCEPT tcp -- eth0 * 0.0.0.0/0 10.10.21.23 tcp dpt:25 state NEW,ESTABLISHED
2 39 2454 ACCEPT tcp -- eth1 * 10.10.21.23 0.0.0.0/0 tcp spt:25 state ESTABLISHED
3 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 10.10.21.23 udp dpt:25 state NEW,ESTABLISHED
4 0 0 ACCEPT udp -- eth1 * 10.10.21.23 0.0.0.0/0 udp spt:25 state ESTABLISHED
5 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 10.10.21.23 tcp dpt:110 state NEW,ESTABLISHED
6 0 0 ACCEPT tcp -- eth1 * 10.10.21.23 0.0.0.0/0 tcp spt:110 state ESTABLISHED
7 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 10.10.21.23 udp dpt:110 state NEW,ESTABLISHED
8 0 0 ACCEPT udp -- eth1 * 10.10.21.23 0.0.0.0/0 udp spt:110 state ESTABLISHED
9 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 10.10.21.24 tcp dpt:22 state NEW,ESTABLISHED
10 0 0 ACCEPT tcp -- eth1 * 10.10.21.24 0.0.0.0/0 tcp spt:22 state ESTABLISHED
11 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 10.200.200.4 tcp dpt:22 state NEW,ESTABLISHED
12 0 0 ACCEPT tcp -- eth1 * 10.200.200.4 0.0.0.0/0 tcp spt:22 state ESTABLISHED
13 322 69268 ACCEPT all -- eth1 eth0 10.200.200.0/24 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
14 60 8142 ACCEPT all -- eth0 eth1 0.0.0.0/0 10.200.200.0/24 state RELATED,ESTABLISHED
15 1362 158K ACCEPT all -- eth1 eth0 10.10.21.0/24 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
16 1369 665K ACCEPT all -- eth0 eth1 0.0.0.0/0 10.10.21.0/24 state RELATED,ESTABLISHED
17 0 0 ACCEPT all -- eth1 eth1 10.10.21.0/24 10.200.200.0/24 state NEW,RELATED,ESTABLISHED
18 3212 1813K ACCEPT all -- eth1 eth1 10.200.200.0/24 10.10.21.0/24 state NEW,RELATED,ESTABLISHED
19 0 0 ACCEPT icmp -- eth1 eth1 10.200.200.0/24 10.10.21.0/24 icmp type 3
20 0 0 ACCEPT icmp -- * * 0.0.0.0/0 10.10.21.70
21 0 0 ACCEPT icmp -- * * 10.10.21.70 0.0.0.0/0
22 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `IPT:FORWARD '
23 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 3855 298K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
2 338 250K ACCEPT all -- * eth2 0.0.0.0/0 0.0.0.0/0
3 <sensitive rule removed>
4 0 0 ACCEPT all -- * eth1 0.0.0.0/0 10.200.200.252
5 511 38840 ACCEPT all -- * eth1 0.0.0.0/0 10.200.200.253
6 0 0 ACCEPT all -- * eth1 0.0.0.0/0 10.200.200.254
7 31 2604 ACCEPT all -- * eth0 0.0.0.0/0 xxx.yyy.zzz.64/27
8 156 6240 ACCEPT all -- * eth0 xxx.yyy.zzz.80 0.0.0.0/0
9 94 24435 ACCEPT tcp -- * eth1 0.0.0.0/0 0.0.0.0/0 tcp spt:22
10 0 0 ACCEPT tcp -- * eth1 0.0.0.0/0 0.0.0.0/0 tcp spt:22
11 0 0 ACCEPT all -- * eth1 0.0.0.0/0 10.10.21.70
12 17 1938 ACCEPT icmp -- * eth1 0.0.0.0/0 10.200.200.0/24
13 2 120 ACCEPT icmp -- * eth1 0.0.0.0/0 10.10.21.0/24
14 0 0 ACCEPT udp -- * eth1 0.0.0.0/0 10.200.200.0/24 udp dpt:694
15 4 600 ACCEPT udp -- * eth1 0.0.0.0/0 10.200.200.4 udp spt:161
16 0 0 ACCEPT tcp -- * eth1 0.0.0.0/0 10.200.200.4 tcp spt:617
17 157 11690 ACCEPT tcp -- * eth1 0.0.0.0/0 10.200.200.0/24
18 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 mmm.nnn.ooo.ppp tcp dpt:53 state NEW,ESTABLISHED
19 0 0 ACCEPT udp -- * eth0 0.0.0.0/0 mmm.nnn.ooo.ppp udp dpt:53 state NEW,ESTABLISHED
20 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 mmm.nnn.ooo.ppp tcp dpt:53 state NEW,ESTABLISHED
21 0 0 ACCEPT udp -- * eth0 0.0.0.0/0 mmm.nnn.ooo.ppp udp dpt:53 state NEW,ESTABLISHED
22 0 0 ACCEPT tcp -- * eth1 0.0.0.0/0 10.10.21.70 tcp dpt:53 state NEW,ESTABLISHED
23 0 0 ACCEPT udp -- * eth1 0.0.0.0/0 10.10.21.70 udp dpt:53 state NEW,ESTABLISHED
24 0 0 ACCEPT tcp -- * eth1 0.0.0.0/0 10.200.200.4 tcp dpt:53 state NEW,ESTABLISHED
25 0 0 ACCEPT udp -- * eth1 0.0.0.0/0 10.200.200.4 udp dpt:53 state NEW,ESTABLISHED
26 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 state NEW,ESTABLISHED
27 0 0 ACCEPT tcp -- * eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 state NEW,ESTABLISHED
28 0 0 ACCEPT tcp -- * eth0 xxx.yyy.zzz.66 0.0.0.0/0 tcp spt:80
29 1 40 ACCEPT tcp -- * eth0 xxx.yyy.zzz.66 0.0.0.0/0 tcp spt:443
30 0 0 ACCEPT tcp -- * eth0 xxx.yyy.zzz.67 0.0.0.0/0 tcp spt:80
31 0 0 ACCEPT tcp -- * eth0 xxx.yyy.zzz.67 0.0.0.0/0 tcp spt:443
32 0 0 ACCEPT tcp -- * eth1 xxx.yyy.zzz.66 10.10.21.0/24 tcp spt:80
33 0 0 ACCEPT tcp -- * eth1 xxx.yyy.zzz.66 10.200.200.0/24 tcp spt:80
34 0 0 ACCEPT tcp -- * eth1 xxx.yyy.zzz.66 10.10.21.0/24 tcp spt:443
35 0 0 ACCEPT tcp -- * eth1 xxx.yyy.zzz.66 10.200.200.0/24 tcp spt:443
36 0 0 ACCEPT tcp -- * eth1 xxx.yyy.zzz.67 10.10.21.0/24 tcp spt:80
37 0 0 ACCEPT tcp -- * eth1 xxx.yyy.zzz.67 10.200.200.0/24 tcp spt:80
38 0 0 ACCEPT tcp -- * eth1 xxx.yyy.zzz.67 10.10.21.0/24 tcp spt:443
39 0 0 ACCEPT tcp -- * eth1 xxx.yyy.zzz.67 10.200.200.0/24 tcp spt:443
40 0 0 ACCEPT tcp -- * eth1 10.200.200.169 10.10.21.0/24 tcp spt:80
41 0 0 ACCEPT tcp -- * eth1 10.200.200.169 10.200.200.0/24 tcp spt:80
42 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `IPT:OUTPUT '
43 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PREROUTING (policy ACCEPT 5884 packets, 2230408 bytes)
num pkts bytes target prot opt in out source destination
1 4 1260 DNAT tcp -- eth0 * 0.0.0.0/0 xxx.yyy.zzz.69 tcp dpt:25 to:10.10.21.23:25
2 0 0 DNAT udp -- eth0 * 0.0.0.0/0 xxx.yyy.zzz.69 udp dpt:25 to:10.10.21.23:25
3 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 xxx.yyy.zzz.69 tcp dpt:110 to:10.10.21.23:110
4 0 0 DNAT udp -- eth0 * 0.0.0.0/0 xxx.yyy.zzz.69 udp dpt:110 to:10.10.21.23:110
5 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 xxx.yyy.zzz.86 tcp dpt:22 to:10.10.21.24:22
6 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 xxx.yyy.zzz.84 tcp dpt:22 to:10.200.200.4:22
Chain POSTROUTING (policy ACCEPT 47 packets, 7198 bytes)
num pkts bytes target prot opt in out source destination
1 100 4918 SNAT all -- * eth0 10.10.21.0/24 0.0.0.0/0 to:xxx.yyy.zzz.80
2 21 1597 SNAT all -- * eth0 10.200.200.0/24 0.0.0.0/0 to:xxx.yyy.zzz.80
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 917 packets, 225511 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 465 packets, 67489 bytes)
num pkts bytes target prot opt in out source destination
################################
#
# Linux Virtual Server Config
#
################################
LVS Configuration
[root@fw1 ipt-conf]# ipvsadm -l -n
IP Virtual Server version 0.2.7 (size=65536)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP xxx.yyy.zzz.66:80 rr
-> 10.200.200.12:80 Masq 1 0 6
TCP xxx.yyy.zzz.67:80 rr
-> 10.200.200.22:80 Masq 1 0 1
TCP xxx.yyy.zzz.66:1080 rr
-> 10.200.200.12:1080 Masq 1 0 0
TCP xxx.yyy.zzz.66:1443 rr
-> 10.200.200.12:1443 Masq 1 0 0
TCP xxx.yyy.zzz.66:443 rr
-> 10.200.200.12:443 Masq 1 0 0
TCP 10.200.200.169:80 rr
-> 10.200.200.32:80 Masq 1 1 21
TCP xxx.yyy.zzz.67:443 rr
-> 10.200.200.22:443 Masq 1 0 0
##################################
#
# Network Interfaces
#
##################################
ifconfig -a
[root@fw1 ipt-conf]# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:50:8B:8F:BB:DB
inet addr:xxx.yyy.zzz.92 Bcast:xxx.yyy.zzz.95 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:535762 errors:12 dropped:0 overruns:0 frame:12
TX packets:499986 errors:6 dropped:0 overruns:0 carrier:6
collisions:10257 txqueuelen:100
Interrupt:15 Base address:0x2c80
eth0:0 Link encap:Ethernet HWaddr 00:50:8B:8F:BB:DB
inet addr:xxx.yyy.zzz.67 Bcast:xxx.yyy.zzz.95 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:15 Base address:0x2c80
eth0:1 Link encap:Ethernet HWaddr 00:50:8B:8F:BB:DB
inet addr:xxx.yyy.zzz.80 Bcast:xxx.yyy.zzz.95 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:15 Base address:0x2c80
eth0:2 Link encap:Ethernet HWaddr 00:50:8B:8F:BB:DB
inet addr:xxx.yyy.zzz.81 Bcast:xxx.yyy.zzz.95 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:15 Base address:0x2c80
eth0:3 Link encap:Ethernet HWaddr 00:50:8B:8F:BB:DB
inet addr:xxx.yyy.zzz.66 Bcast:xxx.yyy.zzz.95 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:15 Base address:0x2c80
eth0:4 Link encap:Ethernet HWaddr 00:50:8B:8F:BB:DB
inet addr:xxx.yyy.zzz.84 Bcast:xxx.yyy.zzz.95 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:15 Base address:0x2c80
eth0:5 Link encap:Ethernet HWaddr 00:50:8B:8F:BB:DB
inet addr:xxx.yyy.zzz.94 Bcast:xxx.yyy.zzz.95 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:15 Base address:0x2c80
eth0:6 Link encap:Ethernet HWaddr 00:50:8B:8F:BB:DB
inet addr:xxx.yyy.zzz.69 Bcast:xxx.yyy.zzz.95 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:15 Base address:0x2c80
eth1 Link encap:Ethernet HWaddr 00:08:C7:CF:8D:0B
inet addr:10.200.200.252 Bcast:10.200.200.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1883587 errors:72 dropped:0 overruns:0 frame:72
TX packets:1883269 errors:31 dropped:0 overruns:0 carrier:31
collisions:23552 txqueuelen:100
Interrupt:5 Base address:0x2c90
eth1:0 Link encap:Ethernet HWaddr 00:08:C7:CF:8D:0B
inet addr:10.200.200.169 Bcast:10.200.200.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:5 Base address:0x2c90
eth1:1 Link encap:Ethernet HWaddr 00:08:C7:CF:8D:0B
inet addr:10.200.200.254 Bcast:10.200.200.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:5 Base address:0x2c90
eth2 Link encap:Ethernet HWaddr 00:04:76:B9:AD:96
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:279133 errors:0 dropped:0 overruns:0 frame:0
TX packets:277027 errors:0 dropped:0 overruns:0 carrier:252
collisions:0 txqueuelen:100
Interrupt:15 Base address:0x2c00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:3131240 errors:0 dropped:0 overruns:0 frame:0
TX packets:3131240 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
###################################
#
# Other OS info
#
###################################
[root@fw1 ipt-conf]# uname -a
Linux fw1.abcxyz.com 2.4.3-12 #1 Fri Jun 8 13:35:30 EDT 2001 i686 unknown
[root@fw1 ipt-conf]# iptables --version
iptables v1.2.1a
[root@fw1 ipt-conf]# cat /etc/redhat-release
Red Hat Linux release 7.1 (Seawolf)
[root@fw1 ipt-conf]# lsmod
Module Size Used by
iptable_mangle 1696 0 (autoclean) (unused)
iptable_nat 11888 0 (autoclean) (unused)
ip_vs_rr 816 7 (autoclean)
ip_vs 49408 31 [ip_vs_rr]
softdog 1472 0 (unused)
3c59x 23264 1 (autoclean)
tlan 23472 2 (autoclean)
ipt_state 544 38 (autoclean)
ipt_LOG 3216 4 (autoclean)
ip_conntrack 11824 2 (autoclean) [iptable_nat ipt_state]
iptable_filter 1696 0 (autoclean) (unused)
ip_tables 10272 7 [iptable_mangle iptable_nat ipt_state ipt_LOG iptable_filter]
sym53c8xx 53248 0 (unused)
cpqarray 16208 7
sd_mod 11104 0 (unused)
scsi_mod 84416 2 [sym53c8xx sd_mod]
[root@fw1 ipv4]# cat ip_conntrack_max
16384
--
Dave Herrald
dave@fropa.com