[rhelv6-list] Weird issue with iptables
Thomas Cameron
thomas.cameron at camerontech.com
Thu Nov 8 19:29:29 UTC 2012
I have set up a RHEL 6 firewall. There are two basically identical
machines behind the firewall. One can get to the Internet just fine, the
other can only get to some sites. Other sites are very slow - like
several minutes to load a page. It's very weird. If the affected box
tries to go to e.g. www.yahoo.com, it gets the first part of the page,
then hangs for several minutes while it loads super slowly. The weird
thing is, if the affected machine goes to any google.com address, it
works fine.
Now, the working machine resolves e.g. www.yahoo.com to a different
address from the broken machine because of content deliver network
addressing.
The network is connected via Time Warner business class service, and I
have 5 usable IP addresses, in the range 24.99.99.0/255.255.255.248.
It has two physical interfaces, 24.99.99.5 (eth1, external, public) and
10.0.2.1 (eth0, internal, private).
I have several virtual interfaces, 24.99.99.2, 24.99.99.3, 24.99.99.4,
and 24.99.99.6 (eth1:0 through eth1:3).
I've poked holes through the firewall with DNAT so I can remote desktop
to a couple of Windows boxes, allow web traffic in, ssh to a Linux box,
allow e-mail to the spam filtering box, etc.
My firewall rules look like this:
[root at office ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT tcp -- 0.0.0.0/0 24.99.99.2 tcp dpt:80 to:10.0.2.2
2 DNAT tcp -- 0.0.0.0/0 24.99.99.2 tcp dpt:443 to:10.0.2.2
3 DNAT tcp -- 0.0.0.0/0 24.99.99.2 tcp dpt:3389 to:10.0.2.2
4 DNAT tcp -- 0.0.0.0/0 24.99.99.2 tcp dpt:53 to:10.0.2.20
5 DNAT udp -- 0.0.0.0/0 24.99.99.2 udp dpt:53 to:10.0.2.20
6 DNAT tcp -- 0.0.0.0/0 24.99.99.2 tcp dpt:22 to:10.0.2.201
7 DNAT tcp -- 0.0.0.0/0 24.99.99.2 tcp dpt:25 to:10.0.2.201
8 DNAT tcp -- 0.0.0.0/0 24.99.99.3 tcp dpt:3389 to:10.0.2.3
9 DNAT tcp -- 0.0.0.0/0 24.99.99.3 tcp dpt:80 to:10.0.2.140
10 DNAT tcp -- 0.0.0.0/0 24.99.99.3 tcp dpt:6036 to:10.0.2.140
11 DNAT tcp -- 0.0.0.0/0 24.99.99.4 tcp dpt:53 to:10.0.2.20
12 DNAT udp -- 0.0.0.0/0 24.99.99.4 udp dpt:53 to:10.0.2.20
13 DNAT tcp -- 0.0.0.0/0 24.99.99.5 tcp dpt:80 to:10.0.2.13
14 DNAT tcp -- 0.0.0.0/0 24.99.99.5 tcp dpt:443 to:10.0.2.13
15 DNAT tcp -- 0.0.0.0/0 24.99.99.6 tcp dpt:3389 to:10.0.2.6
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 SNAT all -- 10.0.2.0/24 !10.0.2.0/24 to:24.99.99.5
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
The two systems I am looking at are at 10.0.2.3 (broken internet access)
and 10.0.2.6 (internet works fine). Both are Windows machines.
I'm at a loss as to what I've done wrong. Why would some machines get
incredibly slow responses but others are snappy?
Thomas Cameron
More information about the rhelv6-list
mailing list