[K12OSN] server not forwarding packets for Windows clients
Petre Scheie
petre at maltzen.net
Wed Feb 1 14:18:15 UTC 2006
Les Mikesell wrote:
> On Tue, 2006-01-31 at 18:55, Petre Scheie wrote:
>
>>It appears to be a NAT problem: while chkconfig shows that the
>>/etc/init.d/nat script will be run for runlevels 2,3,4 & 5, it seems to
>>quit working after a while. It's one of the few scripts that does not
>>have a 'status' parameter, although I could probably check
>>/proc/sys/net/ipv4/ip_forward.
>
>
> Most of the init scripts start some associated process. This one
> just makes an iptables setting.
>
>
>> Since it wasn't working, I had the
>>workstations plugged into the main network switch so that they bypassed
>>the ltsp server. This afternoon, I re-ran the /etc/init.d/nat script
>>and presto! it started working. So, I moved a couple of the Windows
>>boxes back to the ltsp switch, and they were working fine. Then about
>>three hours later I got a call from the users saying those machines
>>couldn't connect to the internet. I ssh'd in, restarted NAT, and
>>presto! it started working again. What would make it die like that?
>>For now, I just made a crontab entry that restarts /etc/init.d/nat once
>>per hour. I'd like to see its state under /proc when it stops working,
>>but I don't want to put the users through the pain of it stopping again.
>
>
> This is just a guess, but could you have viruses on the client
> windows boxes that are trying to connect to random addresses
> as fast as they can cycle through them? The nat module has to track
> the addresses with a table entry that will take a while to time out
> even if the connection does not succeed. You can see it with
> 'cat /proc/net/ip_conntrack'. If you see a lot of sequentially
> increasing addresses - or notice that when watching with tcpdump or
> ethereal you can be pretty sure it is a virus trying to spread.
>
Considering that the client machines are all donated, I'd say yes, a virus is quite
possible. The machines were already present when I arrived on the scene, so I have no
idea about their heritage. I looked at /proc/net/ip_conntrack but there were only a few
entries, but it was late in the evening and I'm not sure if the machines were still
turned on. I setup a cronjob to log the output from /proc/net/ip_conntrack. I also
turned off the nat restarting script: when I checked /proc/sys/net/ipv4/ip_forward this
morning, it was still set to 1, but of course the office is empty overnight. I'm
logging ip_forward's state every ten minutes to see if anything changes.
More information about the K12OSN
mailing list