[SOLVED] erratic behavior nat slackware server

slac-in-the-box · 09-18-2010, 07:24 PM

Hi LQ:

I am trying to turn an old desktop that has slackware 12.2 installed on it into a dhcp server that performs nat on a certain range of the subnet... the server's hostname is nutshell.

Once I have it set up, I am testing it with a slackware64-13.1 laptop whose hostname is firebolt.

Nutshell has a static ip. Before messing with the DHCP side of things, I thought I would start with getting NAT working. The steps I have taken are as follows:

I modified the /etc/rc.d/rc.inet1.conf script so that the interfaces would be setup on boot. Eth0 has ISP's static ip assigned to it, and I assigned 172.0.0.1 to eth1.
I opened the box as wide as possible, so that former firewalls and security settings would not interfere. The contents of /etc/hosts.allow is All:All, and /etc/hosts.deny is an empty file. The firewall is set to allow everything, i.e., iptables -L has "ACCEPT" as default policy on all chains.
Next I used iptables to start nat with the command:
Code:
```
iptables -t nat -A POSTROUTING -s 172.0.0.0/11 -o eth0 -j SNAT --to ##.##.##.##
```
(the static ip I am not typing for security reasons, since the box is open wide at the moment)...

Then I connect firebolt to nutshell with a category 5 ethernet cable and test it out. I can ping nutshell:

Code:

firebolt% ping 172.0.0.1
PING 172.0.0.1 (172.0.0.1) 56(84) bytes of data.
64 bytes from 172.0.0.1: icmp_req=1 ttl=64 time=1.24 ms
64 bytes from 172.0.0.1: icmp_req=2 ttl=64 time=0.105 ms
64 bytes from 172.0.0.1: icmp_req=3 ttl=64 time=1.28 ms
64 bytes from 172.0.0.1: icmp_req=4 ttl=64 time=0.103 ms
64 bytes from 172.0.0.1: icmp_req=5 ttl=64 time=1.29 ms
64 bytes from 172.0.0.1: icmp_req=6 ttl=64 time=0.100 ms
64 bytes from 172.0.0.1: icmp_req=7 ttl=64 time=1.28 ms
64 bytes from 172.0.0.1: icmp_req=8 ttl=64 time=0.102 ms
64 bytes from 172.0.0.1: icmp_req=9 ttl=64 time=1.28 ms
64 bytes from 172.0.0.1: icmp_req=10 ttl=64 time=0.103 ms
64 bytes from 172.0.0.1: icmp_req=11 ttl=64 time=1.28 ms
64 bytes from 172.0.0.1: icmp_req=12 ttl=64 time=0.105 ms
64 bytes from 172.0.0.1: icmp_req=13 ttl=64 time=0.167 ms
64 bytes from 172.0.0.1: icmp_req=14 ttl=64 time=0.100 ms
64 bytes from 172.0.0.1: icmp_req=15 ttl=64 time=1.28 ms
64 bytes from 172.0.0.1: icmp_req=16 ttl=64 time=0.101 ms
64 bytes from 172.0.0.1: icmp_req=17 ttl=64 time=1.28 ms
64 bytes from 172.0.0.1: icmp_req=18 ttl=64 time=0.102 ms
64 bytes from 172.0.0.1: icmp_req=19 ttl=64 time=1.28 ms

The ping seems very erratic. Notice it fluxuating between a tenth of a millisecond and a whole millisecond, almost alternating? Is this normal?

The same result occurs if I ping firebolt from nutshell.

Next I try to ping the public static ips of my ISP's nameserver:

Code:

firebolt% ping ##.##.##.##
PING ##.##.##.## (##.##.##.##) 56(84) bytes of data.
64 bytes from ##.##.##.##: icmp_req=1 ttl=61 time=7.54 ms
64 bytes from ##.##.##.##: icmp_req=2 ttl=61 time=8.74 ms
64 bytes from ##.##.##.##: icmp_req=3 ttl=61 time=7.53 ms
64 bytes from ##.##.##.##: icmp_req=4 ttl=61 time=8.58 ms

It too alternates by a millisecond.

OK, yeah, I can ping external ips from firebolt, so the NAT appears to be working properly. I fire up x-windows and surf a little. While I am surfing it freezes. Checking the pings again, suddenly firebolt cannot ping isp's dns anymore. Checking on nutshell, it can no longer ping external ips either. However, after running /etc/rc.d/rc.inet1 restart on nutshell, all is well, and it is pinging out again. I go back to firebolt and resume my surfing.

Everything seems ok, for a while, but then it freezes again, and I have to go back to nutshell and run rc.inet1 restart again.

In the time it has taken to type this blog, I have had to restart nutshell three times.

Could anyone shed any light on this erratic behavior?

slac-in-the-box · 09-18-2010, 07:41 PM

Still wondering why nutshell drops it's external connection and has to be manually reset, I thought I would check what the log has to say.

Code:

root@nutshell:/var/log# tail -n 33 /var/log/messages
Sep 18 17:28:38 nutshell logger: /etc/rc.d/rc.inet1:  /sbin/ifconfig eth1 down
Sep 18 17:28:38 nutshell logger: /etc/rc.d/rc.inet1:  /sbin/ifconfig lo down
Sep 18 17:28:38 nutshell logger: /etc/rc.d/rc.inet1:  /sbin/ifconfig lo 127.0.0.1
Sep 18 17:28:38 nutshell logger: /etc/rc.d/rc.inet1:  /sbin/route add -net 127.0.0.0 netmask 255.0.0.0 lo
Sep 18 17:28:38 nutshell logger: /etc/rc.d/rc.inet1:  /sbin/ifconfig eth0 69.59.212.11 broadcast 69.59.215.255 netmask 255.255.252.0
Sep 18 17:28:38 nutshell kernel: ADDRCONF(NETDEV_UP): eth0: link is not ready
Sep 18 17:28:38 nutshell logger: /etc/rc.d/rc.inet1:  /sbin/ifconfig eth1 172.0.0.1 broadcast 172.0.0.255 netmask 255.255.255.0
Sep 18 17:28:38 nutshell kernel: ADDRCONF(NETDEV_UP): eth1: link is not ready
Sep 18 17:28:38 nutshell kernel: e100: eth1: e100_watchdog: link up, 100Mbps, full-duplex
Sep 18 17:28:38 nutshell kernel: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
Sep 18 17:28:39 nutshell logger: /etc/rc.d/rc.inet1:  /sbin/route add default gw 69.59.212.1 metric 1
Sep 18 17:28:40 nutshell kernel: tg3: eth0: Link is up at 100 Mbps, full duplex.
Sep 18 17:28:40 nutshell kernel: tg3: eth0: Flow control is on for TX and on for RX.
Sep 18 17:28:40 nutshell kernel: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
Sep 18 17:29:28 nutshell logger: /etc/rc.d/rc.inet1:  /sbin/route del default
Sep 18 17:29:28 nutshell logger: /etc/rc.d/rc.inet1:  /sbin/ifconfig eth0 down
Sep 18 17:29:28 nutshell logger: /etc/rc.d/rc.inet1:  /sbin/ifconfig eth1 down
Sep 18 17:29:29 nutshell logger: /etc/rc.d/rc.inet1:  /sbin/ifconfig lo down
Sep 18 17:29:29 nutshell logger: /etc/rc.d/rc.inet1:  /sbin/ifconfig lo 127.0.0.1
Sep 18 17:29:29 nutshell logger: /etc/rc.d/rc.inet1:  /sbin/route add -net 127.0.0.0 netmask 255.0.0.0 lo
Sep 18 17:29:29 nutshell logger: /etc/rc.d/rc.inet1:  /sbin/ifconfig eth0 69.59.212.11 broadcast 69.59.215.255 netmask 255.255.252.0
Sep 18 17:29:29 nutshell kernel: ADDRCONF(NETDEV_UP): eth0: link is not ready
Sep 18 17:29:29 nutshell logger: /etc/rc.d/rc.inet1:  /sbin/ifconfig eth1 172.0.0.1 broadcast 172.0.0.255 netmask 255.255.255.0
Sep 18 17:29:29 nutshell kernel: ADDRCONF(NETDEV_UP): eth1: link is not ready
Sep 18 17:29:29 nutshell kernel: e100: eth1: e100_watchdog: link up, 100Mbps, full-duplex
Sep 18 17:29:29 nutshell kernel: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
Sep 18 17:29:29 nutshell logger: /etc/rc.d/rc.inet1:  /sbin/route add default gw 69.59.212.1 metric 1
Sep 18 17:29:30 nutshell kernel: tg3: eth0: Link is up at 100 Mbps, full duplex.
Sep 18 17:29:30 nutshell kernel: tg3: eth0: Flow control is on for TX and on for RX.
Sep 18 17:29:30 nutshell kernel: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
Sep 18 17:34:45 nutshell sshd[3587]: Accepted password for root from 172.0.0.2 port 43237 ssh2
root@nutshell:/var/log

#

My question about this log is: could the flow control for tx and rx have anything to do with its dropping external connection?

What could be causing this line:

Code:

Sep 18 17:29:28 nutshell logger: /etc/rc.d/rc.inet1:  /sbin/ifconfig eth0 down

Obviously, this would take eth0, the external connection down. Why is it doing this? Argh.... Argh... ARGH!!!

slac-in-the-box · 09-18-2010, 07:59 PM

My isp thinks that my dsl modem might be failing (have used the same one for about 8 years)...

So, maybe my hardware is failing, and there is nothing anyone here at LQ can do about that.

It takes 4 hours to drive to my ISP and back... I'll post whether or not this solved my issue once I return.

slac-in-the-box · 09-21-2010, 12:16 AM

OK...

Once I got back from my four hour drive, I discovered that my ISP had forgotten to include the power adapter for the new dsl modem, and so I couldn't test it right away.

But after new modem, had same problem, so it was not hardware.

They sent out phone company guy to check lines, which checked out ok.

Then they discovered that they had assigned me someone else's static... oops.

So... linux networking was just fine. Slackware was just fine. And there is only one ISP to choose from where I live, and I'm stuck with them.

Sorry to trouble LQ with my ISP's problem

Until next time,

--slac-in-the-box