IP Masquerading w/ iptables unreliable on Red Hat 9 server

qwertyman19 · 10-29-2004, 06:06 PM

I am setting up a server for file sharing and masquerading using Red Hat 9. File sharing with SAMBA always works well. Masquerading starts up ok and works well for some period of time, but then it stops functioning. The server drops all types of masqueraded connections: HTTP, ftp, ping and email. After a few minutes, masquerading starts working normally again.

I have followed the "Linux IP Masquerade HOWTO" and have used the suggested iptables script in the HOWTO. I have also used the more simplified iptables method suggested by Mathieu on his post at: threadid=178329, postid=424274

I have masqueraded with ipchains on my RH 6.2 server for years without a problem, so this problem really has me pulling out my hair.

Any help would be greatly appreciated!

maxut · 10-30-2004, 05:41 AM

i have redhat 8-9, fedora 1-2. i dont have any trouble with them

what happens in that period? is there some daemons start or stop at that time? or do u have cron jobs that starts at that time? or someone turns on or off clients ?

if u think the trouble is your iptables script, try followings (it works on my redhat 9 without trouble):

Code:

#flushing chains
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
iptables -F OUTPUT
iptables -F FORWARD
iptables -F INPUT

#setting default policies
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P PREROUTING ACCEPT

# rules to allow connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $eth_local -s $local_net -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $eth_local -s $local_net -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# if u have public dynamic ip use rule 1
# if u have static public ip use rule 2
1- iptables -A POSTROUTING -o $eth_ex -s $local_net -j MAQUERADE
2- iptables -A POSTROUTING -o $eth_ex -s $local_net -j SNAT --to $static_public_ip

good luck.

qwertyman19 · 11-01-2004, 10:37 AM

Thanks for the suggestion - I'll try your script.

I don't have any daemons starting/stopping or cron jobs scheduled afaik, so I don't think that is the problem. There are two clients on the network, a W2K machine and a WinXP machine. Masquerading starts to get flaky when the WinXP client is on the network. I've been researching WinXP to see if it could be the culprit. One thing that is unique to the WinXP client is that it sends out WebDAV packets. I've got no idea if WebDAV has anything to do with my problem or not.

maxut · 11-01-2004, 11:23 AM

maybe a virus cause this. did u do virus checking on windows boxes?