iptables forwarding question
James Pifer
jep at obrien-pifer.com
Fri Mar 17 16:15:15 UTC 2006
> Define 'performance is terrible'. That isn't a very useful description of the problem.
>
> What do traceroute and ping look like from each end? Are you seeing lots
> of packet loss or RTTs or is something else entirely happening? What
> _other_ iptable rules are in your system? What does your route table look
> like? Are you seeing anything in /var/log/messages?
>
> You haven't given anywhere near enough information to guess at causes.
> --
> Benjamin Franz
>
> If you can't handle reality, it *will* handle you.
>
No, I sure didn't give much info.
I don't have access to server2.
By terrible performance I mean the audio I hear on my end is really
choppy, or is full of interference. It's actually difficult to explain
the noise.
I'm doing an ethereal capture and I see the packets going between the
phone and server2. The only negative thing I see in the trace is my ppp0
address replying to server2 that:
Protocol: ICMP; Info: Destination unreachable (Port unreachable)
In messages I see a lot of this when I try to use the phone:
Mar 17 10:50:18 laptop pptp[31007]: anon log[decaps_gre:pptp_gre.c:407]:
buffering packet 1363 (expecting 1362, lost or reordered)
Mar 17 10:50:18 laptop pptp[31007]: anon log[decaps_gre:pptp_gre.c:407]:
buffering packet 1364 (expecting 1362, lost or reordered)
Mar 17 10:50:20 laptop pptp[31007]: anon log[decaps_gre:pptp_gre.c:407]:
buffering packet 1410 (expecting 1408, lost or reordered)
Here are the other rules:
# iptables -L;iptables -t nat -L
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.0.0.0/8 anywhere
ACCEPT all -- 10.0.0.0/8 anywhere
ACCEPT all -- anywhere 10.0.0.0/8
TCPMSS tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.0.0.0/8 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 10.0.0.0/8
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT all -- 10.96.26.42 10.96.7.149
to:192.168.0.9
route table is:
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
vpn1 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0
10.96.7.6 * 255.255.255.255 UH 0 0 0
ppp0
192.168.1.0 * 255.255.255.0 U 0 0 0
wlan0
192.168.0.0 * 255.255.255.0 U 0 0 0
eth0
169.254.0.0 * 255.255.0.0 U 0 0 0
wlan0
10.0.0.0 * 255.0.0.0 U 0 0 0
ppp0
default 192.168.1.1 0.0.0.0 UG 0 0 0
wlan0
I have these interfaces and the machine is acting as a router:
wlan0 192.168.1.0 network
eth0 192.168.0.0 network
ppp0 10.96.7.0 network
Let me try to explain why I have both a 192.168.1.0 and a 192.168.0.0.
There is another route to the remote network through a branch office
VPN. I did not want any confusion while trying to make this work, so I
wanted the phone to be on a different subnet (logically). So the only
things on 192.168.0.0 are the phone and eth0 in my laptop. I don't
believe this is causing any issues.
Thanks,
James
More information about the fedora-list
mailing list