You are not logged in.
- Topics: Active | Unanswered
#1 2012-04-22 03:07:19
- walterjwhite
- Member
- Registered: 2011-05-01
- Posts: 207
fragmentation needed - problem with iptables / iproute2 setup?
Hi all,
I am looking at my traffic and noticing that when my "Internet" appears to be non-functional, I am in fact getting some errors. The only thing I changed recently was that I attempted to 'prioritize' traffic, but I wouldn't expect that to be the culprit:
icmp 590 fragmentation neededI see that on my laptop when running wireshark from the command line. It appears, then that the router is properly reporting that ICMP message back to the machine for consumption.
laptop firewall:
#!/bin/bash
# Incoming Traffic
# SSH / 22
SSH_PORT=22
DLNA_TCP_PORT=8895
DLNA_UDP_PORT=1900
iptables -F -t filter
iptables -F -t nat
iptables -F -t mangle
iptables -A INPUT -i lo -j ACCEPT
# allow me to talk to myself
iptables -A INPUT -p all -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport $SSH_PORT -j ACCEPT
# Support DLNA
iptables -A INPUT -p tcp -m tcp --dport $DLNA_TCP_PORT -j ACCEPT
iptables -A INPUT -p udp -m udp --dport $DLNA_UDP_PORT -j ACCEPT
# accept icmp traffic and limit it to 1/second
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 1/sec -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
exit 0router:
#!/bin/bash
LAN_INTERFACE=eth0
WLAN_INTERFACE=wlan0
WIRED_WAN_INTERFACE=eth1
#BRIDGE_INTERFACE=br0
#BRIDGE_INTERFACE=eth0
LAN_NET=255.255.255.0
INTERNAL_LAN_NETWORK=192.168.5.0/$LAN_NET
INTERNAL_WLAN_NETWORK=192.168.6.0/$LAN_NET
INTERNAL_LAN_IP=192.168.5.1
INTERNAL_WLAN_IP=192.168.6.1
# NAT
# redirect HTTP traffic to polip and finally tor
SSH_PORT=22
SIP_PORT=5060
DLNA_PORT=8200
UPNP_PORT=1900
CUPS_PORT=631
SQUID_PORT=3128
TOR_PORT=9050
POLIPO_PORT=8123
PRIVOXY_PORT=8118
DNS_PORT=53
BOOTPS_PORT=67
BOOTPC_PORT=68
NTP_PORT=123
# MythTV Web
HTTP_PORT=80
MYTHTV_A_PORT=6543
MYTHTV_STATUS_PORT=6544
# MySQL (used by mythtv)
MYSQL_PORT=3306
# Forward all Internet traffic (HTTP) through privoxy and then squid
# privoxy removes the ads first
# squid caches and removes ads with adzapper
PROXY_PORT=$SQUID_PORT
#SOURCE_NETWORK=192.168.5.0/24
# flush current rules
iptables -F -t filter
iptables -F -t nat
iptables -F -t mangle
# flush all rules
iptables -F
# delete all chains
iptables -X
#################################################
# Input
#################################################
# Drop all packets with a bad state
iptables -A INPUT -m state --state INVALID -j DROP
# Allow connections from localhost
iptables -A INPUT -i lo -j ACCEPT
# allow me to talk to myself
iptables -A INPUT -p all -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
# Allow established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#################################################
# Internal traffic
#################################################
# DHCP (before a client has an address, this has to be less restrictive so clients can get an address ...)
iptables -A INPUT -p udp -m udp -i $LAN_INTERFACE --dport $BOOTPS_PORT -j ACCEPT
iptables -A INPUT -p udp -m udp -i $LAN_INTERFACE --dport $BOOTPC_PORT -j ACCEPT
iptables -A INPUT -p udp -m udp -i $WLAN_INTERFACE --dport $BOOTPS_PORT -j ACCEPT
iptables -A INPUT -p udp -m udp -i $WLAN_INTERFACE --dport $BOOTPC_PORT -j ACCEPT
# DNS
iptables -A INPUT -p tcp -m tcp -i $LAN_INTERFACE --dport $DNS_PORT -j ACCEPT
iptables -A INPUT -p udp -m udp -i $LAN_INTERFACE --dport $DNS_PORT -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i $WLAN_INTERFACE --dport $DNS_PORT -j ACCEPT
iptables -A INPUT -p udp -m udp -i $WLAN_INTERFACE --dport $DNS_PORT -j ACCEPT
# NTP (after a client has already been assigned an IP address)
iptables -A INPUT -p udp -m udp -i $LAN_INTERFACE --dport $NTP_PORT -j ACCEPT
iptables -A INPUT -p udp -m udp -i $WLAN_INTERFACE --dport $NTP_PORT -j ACCEPT
# SIP
iptables -A INPUT -p tcp -m tcp -i $LAN_INTERFACE --dport $SIP_PORT -j ACCEPT
iptables -A INPUT -p udp -m udp -i $LAN_INTERFACE --dport $SIP_PORT -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i $WLAN_INTERFACE --dport $SIP_PORT -j ACCEPT
iptables -A INPUT -p udp -m udp -i $WLAN_INTERFACE --dport $SIP_PORT -j ACCEPT
# DLNA
iptables -A INPUT -p tcp -m tcp -i $LAN_INTERFACE --dport $DLNA_PORT -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i $WLAN_INTERFACE --dport $DLNA_PORT -j ACCEPT
iptables -A INPUT -p udp -m udp -i $LAN_INTERFACE --dport $UPNP_PORT -j ACCEPT
iptables -A INPUT -p udp -m udp -i $WLAN_INTERFACE --dport $UPNP_PORT -j ACCEPT
# CUPS
iptables -A INPUT -p tcp -m tcp -i $LAN_INTERFACE --dport $CUPS_PORT -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i $WLAN_INTERFACE --dport $CUPS_PORT -j ACCEPT
# Privoxy
iptables -A INPUT -p tcp -m tcp -i $LAN_INTERFACE --dport $PRIVOXY_PORT -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i $WLAN_INTERFACE --dport $PRIVOXY_PORT -j ACCEPT
# Squid
iptables -A INPUT -p tcp -m tcp -i $LAN_INTERFACE --dport $SQUID_PORT -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i $WLAN_INTERFACE --dport $SQUID_PORT -j ACCEPT
# TOR
iptables -A INPUT -p tcp -m tcp -i $LAN_INTERFACE --dport $TOR_PORT -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i $WLAN_INTERFACE --dport $TOR_PORT -j ACCEPT
# Polipo
iptables -A INPUT -p tcp -m tcp -i $LAN_INTERFACE --dport $POLIPO_PORT -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i $WLAN_INTERFACE --dport $POLIPO_PORT -j ACCEPT
# HTTP (for MythTV)
iptables -A INPUT -p tcp -m tcp -i $LAN_INTERFACE --dport $HTTP_PORT -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i $WLAN_INTERFACE --dport $HTTP_PORT -j ACCEPT
# MySQL (for MythTV)
iptables -A INPUT -p tcp -m tcp -i $LAN_INTERFACE --dport $MYSQL_PORT -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i $WLAN_INTERFACE --dport $MYSQL_PORT -j ACCEPT
# MythTV A (for MythTV)
iptables -A INPUT -p tcp -m tcp -i $LAN_INTERFACE --dport $MYTHTV_A_PORT -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i $WLAN_INTERFACE --dport $MYTHTV_A_PORT -j ACCEPT
# MythTV B (for MythTV)
iptables -A INPUT -p tcp -m tcp -i $LAN_INTERFACE --dport $MYTHTV_STATUS_PORT -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i $WLAN_INTERFACE --dport $MYTHTV_STATUS_PORT -j ACCEPT
# Accept ICMP traffic (afterall, this is a router ...)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 1/sec -j ACCEPT
#################################################
# External traffic
#################################################
# SSH (accept SSH connections from the Internet)
iptables -A INPUT -p tcp -m tcp --dport $SSH_PORT -j ACCEPT
#################################################
# nat - prerouting
#################################################
# Proxy Web Traffic with Squid
iptables -t nat -A PREROUTING -i $LAN_INTERFACE -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i $WLAN_INTERFACE -s $LAN_NET -d $LAN_NET -p tcp --dport 80 -j ACCEPT
# HTTP
iptables -t nat -A PREROUTING -i $LAN_INTERFACE -p tcp --dport 80 -j DNAT --to $INTERNAL_LAN_IP:$PROXY_PORT
iptables -t nat -A PREROUTING -i $WLAN_INTERFACE -p tcp --dport 80 -j DNAT --to $INTERNAL_WLAN_IP:$PROXY_PORT
# FTP
iptables -t nat -A PREROUTING -i $LAN_INTERFACE -p tcp --dport 21 -j DNAT --to $INTERNAL_LAN_IP:$PROXY_PORT
iptables -t nat -A PREROUTING -i $WLAN_INTERFACE -p tcp --dport 21 -j DNAT --to $INTERNAL_WLAN_IP:$PROXY_PORT
#################################################
# QoS
#iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j MARK --set-mark 0x1
#iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j RETURN
#iptables -t mangle -A PREROUTING -m tos --tos Minimize-Cost -j MARK --set-mark 0x5
#iptables -t mangle -A PREROUTING -m tos --tos Minimize-Cost -j RETURN
#iptables -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j MARK --set-mark 0x6
#iptables -t mangle -A PREROUTING -m tos --tos Maximize-Throughput -j RETURN
# prioritize UDP traffic
# SIP
# outbound
iptables -t mangle -A PREROUTING -p udp -m udp --dport 19305 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p udp -m udp --dport 19305 -j RETURN
# inbound
iptables -t mangle -A PREROUTING -p udp -m udp --sport 19305 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p udp -m udp --sport 19305 -j RETURN
# XMPP
# outbound
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 5222 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 5222 -j RETURN
# inbound
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 5222 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 5222 -j RETURN
# STUN
# outbound
iptables -t mangle -A PREROUTING -p udp -m udp --dport 3478 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p udp -m udp --dport 3478 -j RETURN
# inbound
iptables -t mangle -A PREROUTING -p udp -m udp --sport 3478 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p udp -m udp --sport 3478 -j RETURN
# prioritize packets that begin tcp connections
iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1
iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
# general UDP traffic
iptables -t mangle -A PREROUTING -p udp -m udp -j MARK --set-mark 0x2
iptables -t mangle -A PREROUTING -p udp -m udp -j RETURN
# unmarked traffic
iptables -t mangle -A PREROUTING -j MARK --set-mark 0x6
#################################################
# nat - postrouting
#################################################
iptables -t nat -I POSTROUTING -o $LAN_INTERFACE -s $LAN_NET -d $INTERNAL_LAN_IP -p tcp -j SNAT --to $INTERNAL_LAN_IP
iptables -t nat -I POSTROUTING -o $WLAN_INTERFACE -p tcp -j SNAT --to $INTERNAL_WLAN_IP
# NAT - Postrouting
iptables -t nat -A POSTROUTING -o ${WIRED_WAN_INTERFACE} -j MASQUERADE
#################################################
# forward
#################################################
iptables -I FORWARD -i $LAN_INTERFACE -o $LAN_INTERFACE -s $LAN_NET -d $INTERNAL_LAN_IP -p tcp --dport $PROXY_PORT -j ACCEPT
iptables -I FORWARD -i $WLAN_INTERFACE -o $WLAN_INTERFACE -p tcp --dport $PROXY_PORT -j ACCEPT
# NAT
iptables -A FORWARD -i $LAN_INTERFACE -s $INTERNAL_LAN_NETWORK -j ACCEPT
iptables -A FORWARD -i $WLAN_INTERFACE -s $INTERNAL_WLAN_NETWORK -j ACCEPT
# NAT - Forward
iptables -A FORWARD -i ${WIRED_WAN_INTERFACE} -d $INTERNAL_LAN_NETWORK -j ACCEPT
iptables -A FORWARD -i ${WIRED_WAN_INTERFACE} -d $INTERNAL_WLAN_NETWORK -j ACCEPT
# clamp down TCPMSS when routing
iptables -t mangle -A FORWARD -p tcp --syn -j TCPMSS --clamp-mss-to-pmtu
#################################################
# output
#################################################
# block IRC connections
iptables -I OUTPUT -p tcp --dport 6666:6669 -j REJECT
#################################################
# policies
#################################################
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#iptables -A OUTPUT -p icmp -j ACCEPT
exit 0Finally, output from iproute2.
qdisc htb 1: root refcnt 2 r2q 10 default 103 direct_packets_stat 0
Sent 229809532 bytes 1056452 pkt (dropped 0, overlimits 51729 requeues 1)
backlog 0b 0p requeues 1
qdisc sfq 101: parent 1:101 limit 127p quantum 590b divisor 1024
Sent 332563 bytes 2765 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
qdisc sfq 102: parent 1:102 limit 127p quantum 590b divisor 1024
Sent 172276542 bytes 511836 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
qdisc sfq 103: parent 1:103 limit 127p quantum 590b divisor 1024
Sent 57200427 bytes 541851 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
qdisc sfq 104: parent 1:104 limit 127p quantum 590b divisor 1024
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0 Any ideas on what to try next? I do see that priority 1 traffic has a bunch of traffic over limits. I can post my iproute2 configuration if needed.
Thanks,
Walter
Last edited by walterjwhite (2012-04-22 03:09:30)
Offline
#2 2012-04-22 04:14:04
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: fragmentation needed - problem with iptables / iproute2 setup?
1/sec is very stingy:
Beware: dropping ICMP responses may slow down or cut off legitimate users (for example when ICMP "Fragmentation Needed" packets are dropped).
Offline
#3 2012-04-22 14:41:34
- walterjwhite
- Member
- Registered: 2011-05-01
- Posts: 207
Re: fragmentation needed - problem with iptables / iproute2 setup?
Hi,
Thanks for that link, I made a few changes to my firewall. I'll have to test over the next few days to see if that is a good change or not. I removed the rate limit on ICMP and traffic appears to be operating much better now. Actually, the rate limit I had on the client appeared to be the culprit.
So, generally speaking, if I have:
Destination Unreachable (Fragmentation needed)
TCP Retransmission
Time-to-live exceeded
TCP Previous segment lost
- that is indicative of networking problems?
Walter
Offline