Re: delay

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Em Sex, 2003-10-31 às 17:15, Ramin Dousti escreveu:
> On Fri, Oct 31, 2003 at 04:56:33PM -0200, Paulo Ricardo Bruck wrote:
> 
> > Hi guys
> > 
> > Just a question. I have a firewall w/ 3 NIC as below:
> > 
> > 			Internet ADSL
> > 			|
> > 			|eth1 200.200.200.44/26
> > 		_________________________	
> > 		|	Firewall	|	DMZ
> > 		| iptables 1.2.8	|_eth2 192.168.1.1/24______EMail
> > 		|_______________________|			192.168.1.3	
> > 			|
> > 			| eth0 10.0.0.1/24
> > 			LAN
> > 
> > 
> > Firewall : Debian 2.4.22 + iptables 1.2.8
> > 
> > 
> > route:
> > 200.200.200.0/26 dev eth1  proto kernel  scope link  src 200.200.200.44
> > 10.0.0.0/24 dev eth0  proto kernel  scope link  src 10.0.0.1
> > 192.168.1.0/24 dev eth2  proto kernel  scope link  src 192.168.1.1
> > default via 200.200.200.1 dev eth1
> > 
> > rules:
> > 
> > a) iptables -A PREROUTING -d 200.200.200.1 -p tcp -m multiport --dports
> > smtp,pop3,imap2,webcache -j DNAT --to-destination 192.168.1.3
> > 
> > b) iptables -A POSTROUTING -o eth1 -j SNAT --to-source 200.200.200.1
> > 
> > c) iptables -A POSTROUTING -o eth2 -j SNAT --to-source 192.168.1.1
> > 
> > 
> > What happens:
> > 
> > - all desktops ( M$windows) access webmail and email w/ no problems, but
> > if I insert rule c) above it causes a delay when any desktop hit
> > get/post e-mail in Outlook and it takes +- 40 seconds to "connenct".
> 
> Let me not ask you why you have rule (c). 
c) I insert because we have in DMZ a IIS and as far as I known I could
protect it putting PREROUTING rules.... who knows??? If someone invade
IIS at least I'll be protecting LAN changing their IP ....80)


> But in general a long delay
> is most of the time related to a faulty or non-existent reverse DNS.
> But in case of SMTP it also might have something to do with ident
> being dropped...
maybe it can help: 
 iptables -N AUTH
iptables -A FORWARD -d $LAN -p tcp --dport 113 -j AUTH
iptables -A FORWARD -d $REDEDMZ -p tcp  --dport 113 -j AUTH
iptables -A AUTH  -j REJECT -p tcp --reject-with tcp-reset

As you can see I'm rejecting ident.... Is that the problem ??



> 
> Ramin
> 
> > 
> > I know that must be a silly misconfiguration of something but after 1
> > week searching the problem I can't imagine what's wrong.
> > 
> > Can anybody help me please
> > 
> > Thanks in advance
> > 
> > 
> > 
> > 
> >
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux