| View previous topic :: View next topic |
| Author |
Message |
stiwi
Apprentice
Joined: 20 Mar 2003
Posts: 266
Location: hamburg - germany
|
 Posted: Mon Jul 24, 2006 10:41 am Post subject: Shorewall local redirect (DNAT with routeback Option) |
 |
|
I have i strange problem. in my company is a shorewall router with configured local redirect for pop-3 and smtp. so users, conneting from extern to the companys pop-3 server with the public ip, localy can use the same ip.
the problem is, that the connection is sometimes resettet from the mailserver when i poll pop3 intern with the external ip. sometimes it works. when i intern use the internal ip, it works.
extern ip pop3 server: 111.111.111.111 (example)
intern ip pop3 server: 192.168.111.111
router internal ip: 192.168.111.1
shorewall config
interfeces:
net eth1 111.111.111.255
loc eth0 192.168.255.255 routeback
masq:
eth0:192.168.111.1 eth0 192.168.111.111 tcp pop3
eth0:192.168.111.1 eth0 192.168.111.111 udp pop3
eth0:192.168.111.1 eth0 192.168.111.111 tcp smtp
eth0:192.168.111.1 eth0 192.168.111.111 udp smtp
rules:
DNAT loc loc:192.168.111.1 tcp pop-3 - 111.111.111.111
DNAT loc loc:192.168.111.1 udp pop-3 - 111.111.111.111
DNAT loc loc:192.168.111.1 tcp smtp - 111.111.111.111
DNAT loc loc:192.168.111.1 udp smtp - 111.111.111.111
the example config is here: http://www.shorewall.net/FAQ.htm#id2452274
what can i do to find out the problems cause? |
|
| Back to top |
|
 |
thunder
Retired Dev
Joined: 01 Sep 2003
Posts: 164
Location: Wroclaw, PL
|
| Posted: Mon Jul 24, 2006 2:30 pm Post subject: |
|
|
you should get more info by `tcpdump` or `tcpflow` and setting up
| Quote: | | all all reject info |
at end of policy would be great source of information in logs.
_________________
Damian Florczyk
Gentoo/NetBSD development lead |
|
| Back to top |
|
|
stiwi
Apprentice
Joined: 20 Mar 2003
Posts: 266
Location: hamburg - germany
|
| Posted: Wed Jul 26, 2006 11:02 pm Post subject: |
|
|
Ok, here is my tcpdump. in line no. 149 starts mysterious duplicate ack packages. what can it be? on local pop-3 poll, there is no duplicate ack in the logfiles. i canceled the transfer after line 182, because is stalls.
111.111.111.111: External IP from the Mailserver
10.30.3.21: My PC
10.30.2.3: Router with local DNAT
10.30.2.1: Local IP from the Mailserver
tcpdump from the router:
| Code: |
No. Time Source Destination Protocol Info
115 25.325973 10.30.3.21 111.111.111.111 POP Request: RETR 2
116 25.326062 10.30.2.3 10.30.2.1 POP Request: RETR 2
117 25.326235 10.30.2.1 10.30.2.3 TCP pop3 > 42151 [ACK] Seq=103 Ack=34 Win=10524 Len=0
118 25.326261 111.111.111.111 10.30.3.21 TCP pop3 > 42151 [ACK] Seq=103 Ack=34 Win=10524 Len=0
119 25.338641 10.30.2.1 10.30.2.3 POP Response: +OK Here it comes...
120 25.338659 111.111.111.111 10.30.3.21 POP Response: +OK Here it comes...
121 25.339485 10.30.2.1 10.30.2.3 POP Continuation
122 25.339511 111.111.111.111 10.30.3.21 POP Continuation
123 25.339909 10.30.2.1 10.30.2.3 POP Continuation
124 25.339933 111.111.111.111 10.30.3.21 POP Continuation
125 25.339913 10.30.3.21 111.111.111.111 TCP 42151 > pop3 [ACK] Seq=34 Ack=125 Win=5888 Len=0
126 25.339953 10.30.2.3 10.30.2.1 TCP 42151 > pop3 [ACK] Seq=34 Ack=125 Win=5888 Len=0
127 25.340326 10.30.3.21 111.111.111.111 TCP 42151 > pop3 [ACK] Seq=34 Ack=1585 Win=8832 Len=0
128 25.340343 10.30.2.3 10.30.2.1 TCP 42151 > pop3 [ACK] Seq=34 Ack=1585 Win=8832 Len=0
129 25.340578 10.30.2.1 10.30.2.3 POP Continuation
130 25.340598 111.111.111.111 10.30.3.21 POP Continuation
131 25.340885 10.30.2.1 10.30.2.3 POP Continuation
132 25.340910 111.111.111.111 10.30.3.21 POP Continuation
133 25.340889 10.30.3.21 111.111.111.111 TCP 42151 > pop3 [ACK] Seq=34 Ack=3045 Win=11776 Len=0
134 25.340929 10.30.2.3 10.30.2.1 TCP 42151 > pop3 [ACK] Seq=34 Ack=3045 Win=11776 Len=0
135 25.341315 10.30.2.1 10.30.2.3 POP Continuation
136 25.341338 111.111.111.111 10.30.3.21 POP Continuation
137 25.341318 10.30.3.21 111.111.111.111 TCP 42151 > pop3 [ACK] Seq=34 Ack=4505 Win=14720 Len=0
138 25.341356 10.30.2.3 10.30.2.1 TCP 42151 > pop3 [ACK] Seq=34 Ack=4505 Win=14720 Len=0
139 25.341761 10.30.2.1 10.30.2.3 POP Continuation
140 25.341781 111.111.111.111 10.30.3.21 POP Continuation
141 25.341941 10.30.3.21 111.111.111.111 TCP 42151 > pop3 [ACK] Seq=34 Ack=5965 Win=17536 Len=0
142 25.341958 10.30.2.3 10.30.2.1 TCP 42151 > pop3 [ACK] Seq=34 Ack=5965 Win=17536 Len=0
143 25.342201 10.30.2.1 10.30.2.3 POP Continuation
144 25.342221 111.111.111.111 10.30.3.21 POP Continuation
145 25.342381 10.30.3.21 111.111.111.111 TCP 42151 > pop3 [ACK] Seq=34 Ack=7425 Win=20480 Len=0
146 25.342398 10.30.2.3 10.30.2.1 TCP 42151 > pop3 [ACK] Seq=34 Ack=7425 Win=20480 Len=0
147 25.342647 10.30.2.1 10.30.2.3 POP Continuation
148 25.342667 111.111.111.111 10.30.3.21 POP Continuation
149 25.342827 10.30.3.21 111.111.111.111 TCP [TCP Dup ACK 145#1] 42151 > pop3 [ACK] Seq=34 Ack=7425 Win=20480 Len=0 SLE=8885 SRE=10345
150 25.342844 10.30.2.3 10.30.2.1 TCP [TCP Dup ACK 146#1] 42151 > pop3 [ACK] Seq=34 Ack=7425 Win=20480 Len=0 SLE=8885 SRE=10345
151 25.343100 10.30.2.1 10.30.2.3 POP Continuation
152 25.343120 111.111.111.111 10.30.3.21 POP Continuation
153 25.343314 10.30.3.21 111.111.111.111 TCP [TCP Dup ACK 145#2] 42151 > pop3 [ACK] Seq=34 Ack=7425 Win=20480 Len=0 SLE=8885 SRE=11805
154 25.343331 10.30.2.3 10.30.2.1 TCP [TCP Dup ACK 146#2] 42151 > pop3 [ACK] Seq=34 Ack=7425 Win=20480 Len=0 SLE=8885 SRE=11805
155 25.343815 10.30.3.21 111.111.111.111 TCP [TCP Dup ACK 145#3] 42151 > pop3 [ACK] Seq=34 Ack=7425 Win=20480 Len=0 SLE=8885 SRE=13265
156 25.343839 10.30.2.3 10.30.2.1 TCP [TCP Dup ACK 146#3] 42151 > pop3 [ACK] Seq=34 Ack=7425 Win=20480 Len=0 SLE=8885 SRE=13265
157 25.344066 10.30.2.1 10.30.2.3 POP [TCP Fast Retransmission] Continuation
158 25.344086 111.111.111.111 10.30.3.21 POP [TCP Fast Retransmission] Continuation
159 25.344812 10.30.3.21 111.111.111.111 TCP 42151 > pop3 [ACK] Seq=34 Ack=13265 Win=23424 Len=0
160 25.344828 10.30.2.3 10.30.2.1 TCP 42151 > pop3 [ACK] Seq=34 Ack=13265 Win=23424 Len=0
161 25.345052 10.30.2.1 10.30.2.3 POP Continuation
162 25.345073 111.111.111.111 10.30.3.21 POP Continuation
163 25.553856 10.30.2.1 10.30.2.3 POP [TCP Retransmission] Continuation
164 25.553926 111.111.111.111 10.30.3.21 POP [TCP Retransmission] Continuation
165 25.554713 10.30.3.21 111.111.111.111 TCP 42151 > pop3 [ACK] Seq=34 Ack=14725 Win=26368 Len=0
166 25.554732 10.30.2.3 10.30.2.1 TCP 42151 > pop3 [ACK] Seq=34 Ack=14725 Win=26368 Len=0
167 25.554989 10.30.2.1 10.30.2.3 POP Continuation
168 25.555010 111.111.111.111 10.30.3.21 POP Continuation
169 26.212888 10.30.2.1 10.30.2.3 POP [TCP Retransmission] Continuation
170 26.212938 111.111.111.111 10.30.3.21 POP [TCP Retransmission] Continuation
171 26.213814 10.30.3.21 111.111.111.111 TCP 42151 > pop3 [ACK] Seq=34 Ack=16185 Win=29312 Len=0
172 26.213837 10.30.2.3 10.30.2.1 TCP 42151 > pop3 [ACK] Seq=34 Ack=16185 Win=29312 Len=0
173 26.214081 10.30.2.1 10.30.2.3 POP Continuation
174 26.214101 111.111.111.111 10.30.3.21 POP Continuation
175 26.648683 10.30.1.3 10.30.2.3 TIME TIME Request
176 27.158719 10.30.1.2 10.30.2.3 TIME TIME Request
177 27.531029 10.30.2.1 10.30.2.3 POP [TCP Retransmission] Continuation
178 27.531125 111.111.111.111 10.30.3.21 POP [TCP Retransmission] Continuation
179 27.532019 10.30.3.21 111.111.111.111 TCP 42151 > pop3 [ACK] Seq=34 Ack=17645 Win=32128 Len=0
180 27.532045 10.30.2.3 10.30.2.1 TCP 42151 > pop3 [ACK] Seq=34 Ack=17645 Win=32128 Len=0
181 27.532303 10.30.2.1 10.30.2.3 POP Continuation
182 27.532326 111.111.111.111 10.30.3.21 POP Continuation
|
|
|
| Back to top |
|
|
|
Networking & Security
