2

Iptables forwarding flapping

view story
linux-howto

http://forums.fedoraforum.org – I hope I can articulate my problem is as few words as needed. I have two networks, each with their own firewalls and a IPsec connection between them 192.168.100.1 is one firewall(F8). It is also a virtual machine host for the web server: 192.168.100.5(F10) 192.168.700.1(F6) is my other firewall. 192.168.700.2(F6) is an application server behind it. I have an OpenSwan 2.4.9 IPsec connection between these networks. I have iptable forwarding rules that redirect any port 80 or 443 traffic directed at 192.168.100.1 towards 192.168.100.5 and source masquerading in the other direction Code: $IPT=/sbin/iptables $IPT -A INPUT -s 0/0 -p tcp --dport 80 -j ACCEPT $IPT -A FORWARD -p tcp -i $IF --dport 80 -o $INIF -d 192.168.100.5 -j ACCEPT $IPT -t nat -A PREROUTING -p tcp -dport 80 -d 110.150.200.3 -j DNAT --to-destination 192.168.100.5:80 $IPT -A INPUT -s 0/0 -p tcp --dport 443 -j ACCEPT $IPT -A FORWARD -p tcp -i $IF --dport 443 -o $INIF -d 192.168.100.5 -j ACCEPT $IPT -t nat -A PREROUTING -p tcp -dport 443 -d 110.150.200.3 -j DNAT --to-destination 192.168.100.5:443 $IPT -t nat -A POSTROUTING -d 192.168.100.5 -o $INIF -j SNAT --to-source 192.168.100.1 Sporatically, a warning from my app server will say that 192.168.100.1 is down. I'll ping 192.168.100.1 from my firewall (192.168.700.1) and all will be well If I ping from the app server (192.168.700.2), no response happens. When I do a: Code: traceroute 192.168.100.1 from 192.168.700.2 I get: Code: traceroute to 192.168.100.1 (192.168.100.1), 30 hops max, 60 byte packets  1  wall.mysystem.com (192.168.700.1)  0.134 ms  0.061 ms  0.072 ms  2  192.168.100.5 (192.168.100.5)  25.826 ms  26.041 ms  26.025 ms The funny(strange) thing is if I perform a Code: service ipsec restart This fixes things but only for a while. Ditto with Code: service firestarter restart Yet if I ignore the warning messages my server spews, the problem - whatever it is - fixes itself. :confused: Any thoughts? Specific additional info can be provided upon request. Cheers (HowTos)