[rhelv6-list] Weird issue with iptables

Thomas Cameron thomas.cameron at camerontech.com
Thu Nov 8 19:29:29 UTC 2012 

I have set up a RHEL 6 firewall. There are two basically identical
machines behind the firewall. One can get to the Internet just fine, the
other can only get to some sites. Other sites are very slow - like
several minutes to load a page. It's very weird. If the affected box
tries to go to e.g. www.yahoo.com, it gets the first part of the page,
then hangs for several minutes while it loads super slowly. The weird
thing is, if the affected machine goes to any google.com address, it
works fine.

Now, the working machine resolves e.g. www.yahoo.com to a different
address from the broken machine because of content deliver network
addressing.

The network is connected via Time Warner business class service, and I
have 5 usable IP addresses, in the range 24.99.99.0/255.255.255.248.

It has two physical interfaces, 24.99.99.5 (eth1, external, public) and
10.0.2.1 (eth0, internal, private).

I have several virtual interfaces, 24.99.99.2, 24.99.99.3, 24.99.99.4,
and 24.99.99.6 (eth1:0 through eth1:3).

I've poked holes through the firewall with DNAT so I can remote desktop
to a couple of Windows boxes, allow web traffic in, ssh to a Linux box,
allow e-mail to the spam filtering box, etc.

My firewall rules look like this:

[root at office ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target   prot opt source     destination

Chain FORWARD (policy ACCEPT)
num  target   prot opt source     destination

Chain OUTPUT (policy ACCEPT)
num  target   prot opt source     destination

Table: nat
Chain PREROUTING (policy ACCEPT)
num  target   prot opt source     destination
1  DNAT   tcp  --  0.0.0.0/0    24.99.99.2   tcp dpt:80 to:10.0.2.2
2  DNAT   tcp  --  0.0.0.0/0    24.99.99.2   tcp dpt:443 to:10.0.2.2
3  DNAT   tcp  --  0.0.0.0/0    24.99.99.2   tcp dpt:3389 to:10.0.2.2
4  DNAT   tcp  --  0.0.0.0/0    24.99.99.2   tcp dpt:53 to:10.0.2.20
5  DNAT   udp  --  0.0.0.0/0    24.99.99.2   udp dpt:53 to:10.0.2.20
6  DNAT   tcp  --  0.0.0.0/0    24.99.99.2   tcp dpt:22 to:10.0.2.201
7  DNAT   tcp  --  0.0.0.0/0    24.99.99.2   tcp dpt:25 to:10.0.2.201
8  DNAT   tcp  --  0.0.0.0/0    24.99.99.3   tcp dpt:3389 to:10.0.2.3
9  DNAT   tcp  --  0.0.0.0/0    24.99.99.3   tcp dpt:80 to:10.0.2.140
10 DNAT   tcp  --  0.0.0.0/0    24.99.99.3   tcp dpt:6036 to:10.0.2.140
11 DNAT   tcp  --  0.0.0.0/0    24.99.99.4   tcp dpt:53 to:10.0.2.20
12 DNAT   udp  --  0.0.0.0/0    24.99.99.4   udp dpt:53 to:10.0.2.20
13 DNAT   tcp  --  0.0.0.0/0    24.99.99.5   tcp dpt:80 to:10.0.2.13
14 DNAT   tcp  --  0.0.0.0/0    24.99.99.5   tcp dpt:443 to:10.0.2.13
15 DNAT   tcp  --  0.0.0.0/0    24.99.99.6   tcp dpt:3389 to:10.0.2.6

Chain POSTROUTING (policy ACCEPT)
num  target   prot opt source     destination
1  SNAT   all  --  10.0.2.0/24   !10.0.2.0/24   to:24.99.99.5

Chain OUTPUT (policy ACCEPT)
num  target   prot opt source     destination

The two systems I am looking at are at 10.0.2.3 (broken internet access)
and 10.0.2.6 (internet works fine). Both are Windows machines.

I'm at a loss as to what I've done wrong. Why would some machines get
incredibly slow responses but others are snappy?

Thomas Cameron

More information about the rhelv6-list mailing list