Strange problem with SNAT
Bill Guelker <wguelker <at> gmail.com>
2006-08-31 19:40:39 GMT
Hi,
I have a problem which I do not believe is directly related to
Shorewall, but which Shorewall may be able to help me circumvent. I
administer a small office network which makes abundant use of an
online application. Recently, the servers which host that application
have converted to linux. And it is after this conversion that I have
begun to experience problems.
My network has around 30 workstations behind a linux box running
CentOS4 and Shorewall 3.2.2. Most of the workstations are running
Fedora Core 5, but there are also several WinXP boxes. The firewall
is doing SNAT for the network, using a single external ip address (the
address of the firewall's external interface).
If there are open connections to the web server (ports 80 and 443) at
207.41.18.59 (ecf.moeb.uscourts.gov) through the firewall, some of the
linux clients can no longer connect to the site -- the firewall shows
these connections in a "SYN_SENT" state. But some of the clients may
connect -- it is not possible to predict who can and who can't. If
there are no connections currently, any client machine can connect to
the site. But as soon as a connection is established, other linux
clients start getting stuck (court site is unresponsive, firewall
shows SYN_SENT, even while the court site is responding to other
connections).
Here's the strange part: the local WinXP clients can always connect
without any problems!
The problem only occurs with this site; client machines can
simultaneously connect to other sites without any issues.
It's as though the remote server, or some router in between, is
dropping SYN packets from my network's external ip which are not part
of an established connection -- unless those SYN packets came from a
Windows host!
I am guessing that there may be some TCP option enabled on my linux
client machines which is triggering the problem, but I'm not sure what
to try.
If I add ip addresses and aliases, so that Shorewall uses a pool of
external ip addresses for SNAT, the problem is alleviated, until the
ip addresses are exhausted and outgoing connections start doubling up.
I have replicated this problem on a separate network, using a Cisco
PIX firewall, and connecting to the same application on a different
server -- linux clients have trouble, Windows clients connect every
time.
I have tried setting CLAMPMSS=Yes with no change.
The office administering the application says there is no connection
limiting going on on their end.
Any ideas? I am attaching a "shorewall dump" with some clients
connected, and others stuck at SYN_SENT (this is with three external
ip addresses for SNAT). Thanks for any suggestions you can offer --
I've been scratchin' my head over this one for a while....
Bill
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
RSS Feed