| 1 |
Do you take car of the MTU? |
| 2 |
Maybe you should clamp it as with ADSL. Do a Google search on TCPMMS. |
| 3 |
|
| 4 |
Regards, |
| 5 |
Dw. |
| 6 |
-- |
| 7 |
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962 |
| 8 |
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962 |
| 9 |
|
| 10 |
On Pén, Február 1, 2008 10:05, Brian Modra wrote: |
| 11 |
> Hi, |
| 12 |
> I'm having trouble with sockets apparently timing out too quickly when |
| 13 |
> they |
| 14 |
> are logically over ethernet, but physically forwarded over a slow ppp |
| 15 |
> link. |
| 16 |
> |
| 17 |
> The fastest network available to me is GPRS/EDGE. So I have one PC |
| 18 |
> connecting to my ISP using EDGE, and 4 other PCs connected to it using |
| 19 |
> Ethernet. |
| 20 |
> |
| 21 |
> The "network server PC" (the one with the GPRS/EDGE modem) is using |
| 22 |
> iptables |
| 23 |
> to forward the packets arriving over its eth0 to ppp0, and vis-versa. |
| 24 |
> This all works nicely. |
| 25 |
> |
| 26 |
> However, I think that because the other PCs are using ethernet, their |
| 27 |
> socket |
| 28 |
> timeouts default to something fairly small... so when the socket |
| 29 |
> connection |
| 30 |
> is actually going via GPRS/EDGE (which is much slower than 100 ethernet) |
| 31 |
> then it times out. |
| 32 |
> |
| 33 |
> I'm seeing this problem with ssh connections (because thats the only type |
| 34 |
> of |
| 35 |
> socket connection that goes outside the LAN over ppp). |
| 36 |
> |
| 37 |
> Note that this is not an idle-time timeout problem: I've got control over |
| 38 |
> the remote sshd, so I have set up |
| 39 |
> ClientAliveInterval 60 |
| 40 |
> ClientAliveCountMax 0 |
| 41 |
> and on the clients: |
| 42 |
> ServerAliveInterval 20 |
| 43 |
> |
| 44 |
> If I connect from my "Network server PC" (i.e. not using forwarding) - |
| 45 |
> then |
| 46 |
> the ssh works fine. |
| 47 |
> If I use ssh from one of the other PCs (i.e. using forwarding) - then ssh |
| 48 |
> sometimes works fine, but sometimes gets a "connection reset by remote |
| 49 |
> peer" |
| 50 |
> right in the middle of some busy data transfer. |
| 51 |
> |
| 52 |
> I'm a novice with iptables... here's my setup: |
| 53 |
> |
| 54 |
> # iptables-save |
| 55 |
> # Generated by iptables-save v1.3.8 on Fri Feb 1 10:52:12 2008 |
| 56 |
> *mangle |
| 57 |
> :PREROUTING ACCEPT [7117:1725751] |
| 58 |
> :INPUT ACCEPT [4684:1358683] |
| 59 |
> :FORWARD ACCEPT [2431:365684] |
| 60 |
> :OUTPUT ACCEPT [4927:964199] |
| 61 |
> :POSTROUTING ACCEPT [7364:1331293] |
| 62 |
> COMMIT |
| 63 |
> # Completed on Fri Feb 1 10:52:12 2008 |
| 64 |
> # Generated by iptables-save v1.3.8 on Fri Feb 1 10:52:12 2008 |
| 65 |
> *nat |
| 66 |
> :PREROUTING ACCEPT [41:2460] |
| 67 |
> :POSTROUTING ACCEPT [60:4125] |
| 68 |
> :OUTPUT ACCEPT [141:8990] |
| 69 |
> -A POSTROUTING -o ppp0 -j MASQUERADE |
| 70 |
> -A POSTROUTING -o ppp1 -j MASQUERADE |
| 71 |
> COMMIT |
| 72 |
> # Completed on Fri Feb 1 10:52:12 2008 |
| 73 |
> # Generated by iptables-save v1.3.8 on Fri Feb 1 10:52:12 2008 |
| 74 |
> *filter |
| 75 |
> :INPUT ACCEPT [2158:643734] |
| 76 |
> :FORWARD DROP [0:0] |
| 77 |
> :OUTPUT ACCEPT [4927:964199] |
| 78 |
> -A INPUT -i lo -j ACCEPT |
| 79 |
> -A INPUT -i eth0 -j ACCEPT |
| 80 |
> -A INPUT -i ! eth0 -p udp -m udp --dport 67 -j REJECT --reject-with |
| 81 |
> icmp-port-unreachable |
| 82 |
> -A INPUT -i ! eth0 -p udp -m udp --dport 53 -j REJECT --reject-with |
| 83 |
> icmp-port-unreachable |
| 84 |
> -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j DROP |
| 85 |
> -A INPUT -i ppp1 -p tcp -m tcp --dport 22 -j DROP |
| 86 |
> -A INPUT -i ! eth0 -p tcp -m tcp --dport 0:110 -j DROP |
| 87 |
> -A INPUT -i ! eth0 -p udp -m udp --dport 0:110 -j DROP |
| 88 |
> -A INPUT -i ! eth0 -p tcp -m tcp --dport 112:1023 -j DROP |
| 89 |
> -A INPUT -i ! eth0 -p udp -m udp --dport 112:1023 -j DROP |
| 90 |
> -A FORWARD -d 192.168.0.0/255.255.0.0 -i eth0 -j DROP |
| 91 |
> -A FORWARD -s 192.168.0.0/255.255.0.0 -i eth0 -j ACCEPT |
| 92 |
> -A FORWARD -d 192.168.0.0/255.255.0.0 -i ppp0 -j ACCEPT |
| 93 |
> -A FORWARD -d 192.168.0.0/255.255.0.0 -i ppp1 -j ACCEPT |
| 94 |
> -A OUTPUT -p tcp -m tcp --dport 8085 -j REJECT --reject-with |
| 95 |
> icmp-port-unreachable |
| 96 |
> COMMIT |
| 97 |
> # Completed on Fri Feb 1 10:52:12 2008 |
| 98 |
> |
| 99 |
> Note that I sometimes connect using a different ISP, hence ppp0 and ppp1. |
| 100 |
> Removing all mention of ppp1 does not help, and the problem existed before |
| 101 |
> I |
| 102 |
> added the second ppp. |
| 103 |
> |
| 104 |
> I've been googling for anything to do with forwarding timeouts in |
| 105 |
> iptables, |
| 106 |
> but no success. I've also been looking for ways to set the default socket |
| 107 |
> read/write timeout from a shell, (I know how to do it in C, but that does |
| 108 |
> not help because I don't want to patch openssh.) Maybe there is an ssh |
| 109 |
> config parameter for this, but all I can find is information about |
| 110 |
> keepalive, which is nothing to do with this problem. |
| 111 |
> |
| 112 |
> I'll appreciate your help. Thanks |
| 113 |
> Brian |
| 114 |
> -- |
| 115 |
> Brian Modra Land line: +27 23 5411 462 |
| 116 |
> Mobile: +27 79 183 8059 |
| 117 |
> 6 Jan Louw Str, Prince Albert, 6930 |
| 118 |
> Postal: P.O. Box 2, Prince Albert 6930 |
| 119 |
> South Africa |
| 120 |
> |
| 121 |
|
| 122 |
|
| 123 |
-- |
| 124 |
gentoo-hardened@l.g.o mailing list |
Archives