[K12OSN] server not forwarding packets for Windows clients

Petre Scheie petre at maltzen.net
Wed Feb 1 14:18:15 UTC 2006 


Les Mikesell wrote:
> On Tue, 2006-01-31 at 18:55, Petre Scheie wrote:
> 
>>It appears to be a NAT problem: while chkconfig shows that the 
>>/etc/init.d/nat script will be run for runlevels 2,3,4 & 5, it seems to 
>>quit working after a while.  It's one of the few scripts that does not 
>>have a 'status' parameter, although I could probably check 
>>/proc/sys/net/ipv4/ip_forward. 
> 
> 
> Most of the init scripts start some associated process.  This one
> just makes an iptables setting.
> 
> 
>> Since it wasn't working, I had the 
>>workstations plugged into the main network switch so that they bypassed 
>>the ltsp server.  This afternoon, I re-ran the /etc/init.d/nat script 
>>and presto! it started working.  So, I moved a couple of the Windows 
>>boxes back to the ltsp switch, and they were working fine.  Then about 
>>three hours later I got a call from the users saying those machines 
>>couldn't connect to the internet.  I ssh'd in, restarted NAT, and 
>>presto! it started working again.  What would make it die like that? 
>>For now, I just made a crontab entry that restarts /etc/init.d/nat once 
>>per hour.  I'd like to see its state under /proc when it stops working, 
>>but I don't want to put the users through the pain of it stopping again.
> 
> 
> This is just a guess, but could you have viruses on the client
> windows boxes that are trying to connect to random addresses
> as fast as they can cycle through them?  The nat module has to track
> the addresses with a table entry that will take a while to time out
> even if the connection does not succeed.  You can see it with
> 'cat /proc/net/ip_conntrack'.  If you see a lot of sequentially
> increasing addresses - or notice that when watching with tcpdump or
> ethereal you can be pretty sure it is a virus trying to spread.
> 
Considering that the client machines are all donated, I'd say yes, a virus is quite 
possible.  The machines were already present when I arrived on the scene, so I have no 
idea about their heritage.  I looked at /proc/net/ip_conntrack but there were only a few 
entries, but it was late in the evening and I'm not sure if the machines were still 
turned on. I setup a cronjob to log the output from /proc/net/ip_conntrack.  I also 
turned off the nat restarting script: when I checked /proc/sys/net/ipv4/ip_forward this 
morning, it was still set to 1, but of course the office is empty overnight.  I'm 
logging ip_forward's state every ten minutes to see if anything changes.

More information about the K12OSN mailing list