[SOLVED] Problem with gigabit network cards in Slackware 13.1 x64

hoggan · 04-08-2011, 09:22 AM

Hello friends !
Recently bought a new system Motherboard Asus M4N68T-M LE V2 with a built in gigabit card And one Intel 82574L gigabit card. The problem is that it just wont work on my LAN for web surfing download from ftp is at full speed 100mbit. I use this computer as a gateway to distribute inter net to my local lan. Worked perfect on my old computer with 2 100mbit network cards and im jusing the same iptables config for the new computer. Maby thats the problem?? Im no iptables expert so i got it from a script. Help is very appreciated.

Code:

IPT="/usr/sbin/iptables"
SPAMLIST="blockedip"
SPAMDROPMSG="BLOCKED IP DROP"
 
echo "Starting IPv4 Wall..."

echo " applying general security settings to /proc filesystem"
echo ""
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi
 
# load some modules
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_irc.o ]; then modprobe ip_nat_irc; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_irc.o ]; then modprobe ip_conntrack_irc; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then modprobe ip_conntrack_ftp; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then modprobe ip_nat_ftp; fi


$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
modprobe ip_conntrack
 
[ -f /root/blocked.ip.txt ] && BADIPS=$(egrep -v -e "^#|^$" /root/blocked.ip.txt)
 
PUB_IF="eth0"
 
#unlimited
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
 
# DROP all incomming traffic
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP

echo " applying nat rules"
echo ""
$IPT -F FORWARD
$IPT -F -t nat
$IPT -P FORWARD DROP
$IPT -A FORWARD -i eth1 -j ACCEPT
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A OUTPUT -o eth1 -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

 
if [ -f /root/blocked.ip.txt ];
then
# create a new iptables list
$IPT -N $SPAMLIST
 
for ipblock in $BADIPS
do
   $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
   $IPT -A $SPAMLIST -s $ipblock -j DROP
done
 
$IPT -I INPUT -j $SPAMLIST
$IPT -I OUTPUT -j $SPAMLIST
$IPT -I FORWARD -j $SPAMLIST
fi
 
# Block sync
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync"
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP
 
# Block Fragments
$IPT -A INPUT -i ${PUB_IF} -f  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
$IPT -A INPUT -i ${PUB_IF} -f -j DROP
 
# Block bad stuff
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP
 
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
 
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
 
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
 
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
 
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
 
# Allow full outgoing connection but no incomming stuff
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 
# Allow ssh
$IPT -A INPUT -p tcp --destination-port 22 -j ACCEPT
 
# allow incomming ICMP ping pong stuff
$IPT -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Allow port 53 tcp/udp (DNS Server)
#$IPT -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPT -A OUTPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
 
#$IPT -A INPUT -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED  -j ACCEPT
#$IPT -A OUTPUT -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Open port 80
$IPT -A INPUT -p tcp --destination-port 80 -j ACCEPT
#$iptables -A INPUT -p tcp --dport 8112 -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp --dport 8080 -j ACCEPT
$IPT -A INPUT -p tcp --dport 10000 -j ACCEPT
$IPT -A INPUT -p tcp --dport 10001 -j ACCEPT
$IPT -A INPUT -p tcp --dport 10002 -j ACCEPT
$IPT -A INPUT -p tcp --dport 20 -j ACCEPT
$IPT -A INPUT -p tcp --dport 21 -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 50773 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i eth0 -p udp --dport 50773 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --dport 12899 -j ACCEPT
$IPT -A INPUT -p tcp --dport 11001 -j ACCEPT
$IPT -A INPUT -p tcp --dport 11002 -j ACCEPT
$IPT -A INPUT -p tcp --dport 3128 -j ACCEPT

##### Add your rules below ######
 
##### END your rules ############
 
# Do not log smb/windows sharing packets - too much logging
$IPT -A INPUT -p tcp -i eth0 --dport 137:139 -j REJECT
$IPT -A INPUT -p udp -i eth0 --dport 137:139 -j REJECT
 
# log everything else and drop
$IPT -A INPUT -j LOG
$IPT -A FORWARD -j LOG
$IPT -A INPUT -j DROP

echo "  Firewall up and running!"
echo ""

exit 0

mRgOBLIN · 04-08-2011, 06:09 PM

The wording on your post is a little confusing. What do you mean by "just won't work"?

Do your interface names still match those rules?
Like is PUB_IF really eth0 still?

check the output of ifconfig and perhaps use ethtool to check that these interfaces are al found and connected up the way you expect.

Woodsman · 04-08-2011, 06:35 PM

You wrote "download from ftp is at full speed 100mbit." If the upstream connection is limited at any point to 100mbit then your new 1 gigabit card cannot increase the speed. For example, I connect to a 1 Gps server to sync my local Slackware tree, but the ISP has me throttled to about 2.5 to 3 Mbps. My 1 Gbps NIC or even my 100 Mbps router can't improve upon that. You can achieve 1 Gbps only with another card supporting 1 Gbps.

I have mixed 10/100 Mbps and 1 Gbps machines in my small LAN. Only the 1 Gbps machines talking together exceed 100 Mbps speeds. I use a D-Link DGS-2205 Gigabit switch and my Linksys WRT54GL router to connect my machines. The 1 Gbps machines are connected to the switch and the 10/100 machines are connected to the built-in switch on the Linksys router.

A quick check of the cards will help:

Code:

/usr/sbin/ethtool eth0
Settings for eth0:
        Supported ports: [ MII ]
        Supported link modes:   10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
                                1000baseT/Full
        Supports auto-negotiation: Yes
        Advertised link modes:  10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
                                1000baseT/Full
        Advertised auto-negotiation: Yes
        Speed: 1000Mb/s
        Duplex: Full
        Port: MII
        PHYAD: 1
        Transceiver: external
        Auto-negotiation: on
        Supports Wake-on: g
        Wake-on: d
        Link detected: yes

Take a look at iperf as a quick method of testing connections between machines on your LAN.

By the way, achieving close to 1 Gbps speed is possible with testing such as with iperf, but in the real world with actual file transfers I see speeds ranging anywhere from about 200 to 600 Mbps.

Gerard Lally · 04-08-2011, 07:40 PM

Quote:

Originally Posted by hoggan

Hello friends !
Recently bought a new system Motherboard Asus M4N68T-M LE V2 with a built in gigabit card And one Intel 82574L gigabit card. The problem is that it just wont work on my LAN for web surfing download from ftp is at full speed 100mbit. I use this computer as a gateway to distribute inter net to my local lan. Worked perfect on my old computer with 2 100mbit network cards and im jusing the same iptables config for the new computer. Maby thats the problem?? Im no iptables expert so i got it from a script. Help is very appreciated.

Code:

 
# Open port 80
$IPT -A INPUT -p tcp --destination-port 80 -j ACCEPT
#$iptables -A INPUT -p tcp --dport 8112 -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp --dport 8080 -j ACCEPT
$IPT -A INPUT -p tcp --dport 10000 -j ACCEPT
$IPT -A INPUT -p tcp --dport 10001 -j ACCEPT
$IPT -A INPUT -p tcp --dport 10002 -j ACCEPT
$IPT -A INPUT -p tcp --dport 20 -j ACCEPT
$IPT -A INPUT -p tcp --dport 21 -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 50773 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i eth0 -p udp --dport 50773 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --dport 12899 -j ACCEPT
$IPT -A INPUT -p tcp --dport 11001 -j ACCEPT
$IPT -A INPUT -p tcp --dport 11002 -j ACCEPT
$IPT -A INPUT -p tcp --dport 3128 -j ACCEPT

I'm no netfilter expert either but it looks to me as though you are allowing unrestricted access from the outside world to a web server running on your machine, a Squid proxy running on your machine, an FTP server running on your machine and other servers as well. Are you really running these services on your machine and allowing the outside world to use them? The web and FTP server I can understand but a publicly-accessible Squid proxy? If not then my advice is to use Alien Bob's firewall generator to tidy up your iptables first and then we can diagnose other issues. If this is just a gateway then you don't need any services listening on your external network interface. All you need is a default block policy on the external interface, and packet forwarding as well to allow packets to travel from the LAN NIC to the external NIC and from there to your next-hop gateway.

As I say, I am no iptables expert so perhaps I have this all ends up.

hoggan · 04-08-2011, 09:06 PM

eth0 is still my public iface. Bad english sorry for that

But i mean that it goes really really slow to surf on web while downloading from ftp is at full speed. I have a 100/100mbit connection. And i can ssh to both interfaces. eth0 interface is limited to 100mbit from the broadband supplier router. LAN is connected at 1gbit and fast ftp transfer speeds local. It´s when im trying to surf on web-pages it goes abnormally sloooow

mRgOBLIN · 04-08-2011, 09:11 PM

So is it slow to download a file over http? or does it just take a long time for each page to appear?

Is your DNS set up correctly?

Try putting just this line in /etc/resolv.conf

Code:

nameserver 8.8.8.8

hoggan · 04-08-2011, 09:14 PM

It´s takes forever to load a www page. File transfers is downloading at acceptable speeds.
i haven´t tried googles dns but i have the same dns that it was on the old computer and it worked flawless there no problem at all with speed issues. I get dns from internet supplier from dhcp.

Woodsman · 04-08-2011, 09:29 PM

Are the /etc/resolv.conf files the same? Have you tried disabling ipv6 --- in the browser or system-wide?

hoggan · 04-08-2011, 09:32 PM

The same from my old system ? If that was you question it´s no. I haven´t tried disabling ipv6 and i really don´t know howto either

hoggan · 04-08-2011, 11:18 PM

Tested adding 8.8.8.8 into /etc/resolv.conf but i didn't make any different. Is there anything else i can try or should i just sell the new computer and go back to the old one that work although a little slow :/

When i type dmesg i get alot of this messages:
IN=eth0 OUT= MAC=bc:ae:c5:d8:91:95:9c:4e:20:7b:a3:c4:08:00 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=129 TOS=0x00 PREC=0x00 TTL=113 ID=7466 PROTO=UDP SPT=16005 DPT=38159 LEN=109

What does it mean ??

Woodsman · 04-09-2011, 12:07 AM

Quote:

Do your interface names still match those rules?
Like is PUB_IF really eth0 still?

You haven't yet answered mRgOBLIN's questions.

When you moved the hard drive to a new computer there is a chance the old udev rules for the NIC assignments are incorrect. udev will not delete those rules but instead will create a new rule set.

In your firewall rules you assign the variable PUB_IF to eth0. Is eth0 still the NIC for the public interface? Additionally, which NIC is assigned to eth0 by udev?

Check /etc/udev/rules.d/70-persistent-net.rules for the NIC assignments. The rules will contain the MAC address and assignment for each NIC.

hoggan · 04-09-2011, 05:35 AM

Quote:

eth0 is still my public iface. Bad english sorry for that But i mean that it goes really really slow to surf on web while downloading from ftp is at full speed. I have a 100/100mbit connection. And i can ssh to both interfaces. eth0 interface is limited to 100mbit from the broadband supplier router. LAN is connected at 1gbit and fast ftp transfer speeds local. It´s when im trying to surf on web-pages it goes abnormally sloooow

It´s a brand new harddrive everything on the computer is brand new newer used before im only copying some config files that i need on this new computer also.

Checked /etc/udev/rules.d/70-persistent-net.rules and it is correct.
I am still very curious about this message i get from dmesg:IN=eth0 OUT= MAC=bc:ae:c5:d8:91:95:9c:4e:20:7b:a3:c4:08:00 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=129 TOS=0x00 PREC=0x00 TTL=113 ID=7466 PROTO=UDP SPT=16005 DPT=38159 LEN=109

It´s hundreds of the same type of messages. What does it mean ?

heinblöd · 04-09-2011, 06:06 AM

Which config files did you copy from the old system?
And maybe you can post more from dmesg or syslog or /var/log/messages
Did you try to simply switch off iptables for testing ?
Sounds like a very wrong network (routing/dns) config and a bit screwed up iptables config for me ,too

hoggan · 04-09-2011, 06:33 AM

Maby iptables config is wrong but it worked perfect on the old computer. I haven't tried turning iptables off for testing yet. The network is setup from internet provider dhcp and static on the local nic. I have only copied iptables ruleset and apache config files yet

root@hejsan:/tmp# tail /var/log/syslog
Apr 10 13:20:24 hejsan kernel: IN=eth0 OUT= MAC=bc:ae:c5:d8:91:95:9c:4e:20:7b:a3:c4:08:00 SRC=142.167.8.90 DST=xxx.xxx.xxx.xxx LEN=131 TOS=0x00 PREC=0x00 TTL=111 ID=24435 PROTO=UDP SPT=10523 DPT=38159 LEN=111
Apr 10 13:20:26 hejsan kernel: IN=eth0 OUT= MAC=bc:ae:c5:d8:91:95:9c:4e:20:7b:a3:c4:08:00 SRC=91.192.20.7 DST=xxx.xxx.xxx.xxx LEN=131 TOS=0x00 PREC=0x00 TTL=111 ID=13967 PROTO=UDP SPT=11920 DPT=35340 LEN=111
Apr 10 13:20:28 hejsan kernel: IN=eth0 OUT= MAC=bc:ae:c5:d8:91:95:9c:4e:20:7b:a3:c4:08:00 SRC=83.86.50.131 DST=xxx.xxx.xxx.xxx LEN=134 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=51413 DPT=35340 LEN=114
Apr 10 13:20:28 hejsan kernel: IN=eth0 OUT= MAC=bc:ae:c5:d8:91:95:9c:4e:20:7b:a3:c4:08:00 SRC=94.144.63.20 DST=xxx.xxx.xxx.xxx LEN=134 TOS=0x00 PREC=0x00 TTL=111 ID=452 PROTO=UDP SPT=14462 DPT=38159 LEN=114
Apr 10 13:20:30 hejsan kernel: IN=eth0 OUT= MAC=bc:ae:c5:d8:91:95:9c:4e:20:7b:a3:c4:08:00 SRC=80.54.56.41 DST=xxx.xxx.xxx.xxx LEN=131 TOS=0x00 PREC=0x00 TTL=112 ID=35924 PROTO=UDP SPT=25315 DPT=38159 LEN=111
Apr 10 13:20:36 hejsan kernel: IN=eth0 OUT= MAC=bc:ae:c5:d8:91:95:9c:4e:20:7b:a3:c4:08:00 SRC=67.246.36.177 DST=xxx.xxx.xxx.xxx LEN=134 TOS=0x00 PREC=0x00 TTL=109 ID=49096 PROTO=UDP SPT=12761 DPT=38159 LEN=114
Apr 10 13:20:39 hejsan kernel: IN=eth0 OUT= MAC=bc:ae:c5:d8:91:95:9c:4e:20:7b:a3:c4:08:00 SRC=84.23.49.122 DST=xxx.xxx.xxx.xxx LEN=131 TOS=0x00 PREC=0x00 TTL=108 ID=14847 PROTO=UDP SPT=45944 DPT=35340 LEN=111
Apr 10 13:20:39 hejsan kernel: IN=eth0 OUT= MAC=bc:ae:c5:d8:91:95:9c:4e:20:7b:a3:c4:08:00 SRC=138.37.218.28 DST=xxx.xxx.xxx.xxx LEN=125 TOS=0x00 PREC=0x00 TTL=49 ID=32826 PROTO=UDP SPT=51413 DPT=38159 LEN=105
Apr 10 13:20:41 hejsan kernel: IN=eth0 OUT= MAC=bc:ae:c5:d8:91:95:9c:4e:20:7b:a3:c4:08:00 SRC=93.144.198.225 xxx.xxx.xxx.xxx LEN=131 TOS=0x00 PREC=0x00 TTL=103 ID=4162 PROTO=UDP SPT=24515 DPT=35340 LEN=111
Apr 10 13:20:41 hejsan kernel: IN=eth0 OUT= MAC=bc:ae:c5:d8:91:95:9c:4e:20:7b:a3:c4:08:00 SRC=78.157.167.158 DST=xxx.xxx.xxx.xxx LEN=131 TOS=0x00 PREC=0x00 TTL=110 ID=28172 PROTO=UDP SPT=50288 DPT=35340 LEN=111

Apr 10 12:57:10 hejsan dhcpcd: version 5.2.2 starting
Apr 10 12:57:10 hejsan dhcpcd: eth0: broadcasting for a lease
Apr 10 12:57:14 hejsan dhcpcd: eth0: offered xxx.xxx.xxx.xxx from xxx.xxx.xxx.xxx
Apr 10 12:57:20 hejsan dhcpcd: eth0: probing for an IPv4LL address
Apr 10 12:57:20 hejsan dhcpcd: eth0: checking for xxx.xxx.xxx.xxx
Apr 10 12:57:25 hejsan dhcpcd: eth0: using IPv4LL address xxx.xxx.xxx.xxx
Apr 10 12:57:25 hejsan dhcpcd: forking to background
Apr 10 12:57:25 hejsan logger: /etc/rc.d/rc.inet1: /sbin/ifconfig eth1 192.168.1.2 broadcast 192.168.1.255 netmask 255.255.$
Apr 10 12:57:25 hejsan kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Apr 10 12:57:25 hejsan kernel: nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
Apr 10 12:57:26 hejsan kernel: NET: Registered protocol family 10
Apr 10 12:57:26 hejsan kernel: ADDRCONF(NETDEV_UP): eth1: link is not ready
Apr 10 12:57:26 hejsan sshd[1831]: Server listening on 0.0.0.0 port 22.
Apr 10 12:57:26 hejsan sshd[1831]: Server listening on :: port 22.
Apr 10 12:57:26 hejsan acpid: starting up with proc fs
Apr 10 12:57:26 hejsan acpid: skipping conf file /etc/acpi/events/..
Apr 10 12:57:26 hejsan acpid: skipping conf file /etc/acpi/events/.
Apr 10 12:57:26 hejsan acpid: 1 rule loaded
Apr 10 12:57:26 hejsan acpid: waiting for events: event logging is off
Apr 10 12:57:28 hejsan acpid: client connected from 1886[82:82]
Apr 10 12:57:28 hejsan acpid: 1 client rule loaded
Apr 10 12:57:28 hejsan kernel: e1000e: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: Rx/Tx
Apr 10 12:57:28 hejsan kernel: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
Apr 10 12:58:33 hejsan dhcpcd: eth0: broadcasting for a lease
Apr 10 12:58:48 hejsan sshd[1938]: Accepted password for root from 192.168.1.16 port 4676 ssh2
Apr 10 12:59:13 hejsan logger: /etc/rc.d/rc.inet1: /sbin/dhcpcd -k -d eth0
Apr 10 12:59:13 hejsan dhcpcd: sending signal 1 to pid 1662
Apr 10 12:59:13 hejsan dhcpcd: waiting for pid 1662 to exit
Apr 10 12:59:13 hejsan dhcpcd: received SIGHUP, releasing lease
Apr 10 12:59:13 hejsan dhcpcd: eth0: removing interface
Apr 10 12:59:14 hejsan logger: /etc/rc.d/rc.inet1: /sbin/ifconfig eth1 down
Apr 10 12:59:14 hejsan kernel: e1000e: eth1 NIC Link is Down
Apr 10 12:59:14 hejsan logger: /etc/rc.d/rc.inet1: /sbin/ifconfig lo down
Apr 10 12:59:14 hejsan logger: /etc/rc.d/rc.inet1: /sbin/ifconfig lo 127.0.0.1
Apr 10 12:59:14 hejsan logger: /etc/rc.d/rc.inet1: /sbin/route add -net 127.0.0.0 netmask 255.0.0.0 lo
Apr 10 12:59:14 hejsan logger: /etc/rc.d/rc.inet1: /sbin/dhcpcd -t 10 eth0
Apr 10 12:59:14 hejsan dhcpcd: version 5.2.2 starting
Apr 10 12:59:14 hejsan dhcpcd: eth0: broadcasting for a lease
Apr 10 12:59:14 hejsan dhcpcd: eth0: offered xxx.xxx.xxx.xxx from xxx.xxx.xxx.xxx
Apr 10 12:59:14 hejsan dhcpcd: eth0: checking for xxx.xxx.xxx.xxx
Apr 10 12:59:20 hejsan dhcpcd: eth0: leased xxx.xxx.xxx.xxx for 21600 seconds
Apr 10 12:59:26 hejsan dhcpcd: forking to background
Apr 10 12:59:26 hejsan logger: /etc/rc.d/rc.inet1: /sbin/ifconfig eth1 192.168.1.2 broadcast 192.168.1.255 netmask 255.255.$
Apr 10 12:59:26 hejsan kernel: ADDRCONF(NETDEV_UP): eth1: link is not ready
Apr 10 12:59:29 hejsan kernel: e1000e: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: Rx/Tx
Apr 10 12:59:29 hejsan kernel: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready

heinblöd · 04-09-2011, 07:29 AM

Looks to me as if you get tons of incoming connections from the internet from your dmesg.

You need to exclude possibilities, reusing config files from other computers is never a good idea.
It says nothing if they worked good before.

Maybe the modules you try to load don't exist.

Quote:

lsmod

Maybe the chains you try to use in Iptables don't exist;

Quote:

iptables -L

Maybe the files ( eg /root/blocked.ip.txt) your config file tries to include don't exist (owner, rights ?)
etc etc .

I would start only with ETH0 as browsing should be fine on the linux box in the first place;
So leave ETH1 deactivated.

If this doesn't help, go on and switch iptables off.

Try to remove all those input-rules except for port 22 - you don't want to allow everybody to use your box as an open relay for almost everything .

You could delete udev-persistent rules, as they should get recreated ( but try everything else before)