Weblog entry #1 for sawdust
See all weblog entries made by sawdust.
#1
Etch randomly blocking external traffic
Posted by sawdust on Fri 25 Jul 2008 at 14:33
I have two machines that I recently installed etch onto fresh, not upgraded.
Immediately after install I started noticing both machines randomly blocking all incoming traffic/ports on the external nic. The block only seems to remain in place for about a minute or two. While theblock is in place, I can ssh into the machine indirectly by first ssh'ing into another Debian (sarge) machine that is on the same local area network, and from there I can get into etch machines so I know the internal nic is unaffected and it's not a system hang. I'm running the same vanilla kernel on both: linux-image-2.6-686. This does not happen on any of my Debian sarge machines. Flushing iptables has no effect, iptables shows no blocking in place at all. Any ideas as to what could be causing this?
Immediately after install I started noticing both machines randomly blocking all incoming traffic/ports on the external nic. The block only seems to remain in place for about a minute or two. While theblock is in place, I can ssh into the machine indirectly by first ssh'ing into another Debian (sarge) machine that is on the same local area network, and from there I can get into etch machines so I know the internal nic is unaffected and it's not a system hang. I'm running the same vanilla kernel on both: linux-image-2.6-686. This does not happen on any of my Debian sarge machines. Flushing iptables has no effect, iptables shows no blocking in place at all. Any ideas as to what could be causing this?
Comments on this Entry
Posted by dkg (216.254.xx.xx) on Fri 25 Jul 2008 at 16:18
[ Send Message | View dkg's Scratchpad | View Weblogs ]
[ Send Message | View dkg's Scratchpad | View Weblogs ]
How do you know that the traffic is being blocked? have you tried attaching tcpdump to your external interface to see if any packets are being received? Does anything unusual show up in your logs or in dmesg?
[ Parent | Reply to this comment ]
I don't know that the traffic is being blocked or by what. dmesg shows nothing unusual, nothing shows up in any of the relevant logs.
To better describe the scenario I work in a small office with 3 people (all windows xp workstations) on a private lan all going out through a single linux box acting as our gateway/nat to the dmz. My machine is also running a secondary public network to the dmz.
On the server side I have about 6 debain servers behind a single router at a data center, two of which have fresh debian etch installs on them, the rest are all sarge installs.
Seemingly randomly, these two etch servers become unreachable directly and the only way I've found I can get in is by first ssh'ing into one of the sarge machines and then into the etch through the LAN. The problem will go away by itself, but the time it takes to go away varies from 1-15 minutes. The really weird thing about it is when this happens I can grab one of my co-workers and have them hit the machine from their computer and they get in no problems. That says to me there are two possibilities 1) my machine is blocking me or 2) the etch machine is temporarily blocking a specific ip. All of the sarge machines remain accessible.
I turned on windows firewall logging and see nothing related to this. I even turned the windows firewall off, same problem. I have had other remote clients report this issue also, so I know it is not just affecting my machine.
It is almost like the etch machines are making an incorrect determination that my requests are malicious and it's temporarily blocking me, but there's nothing to back this up in the logs. Could running dual nics in my windows xp machine (one for the private lan and one for a public interface) be affecting how outbound traffic is routed from my machine and in turn create a scenario that might be looked at suspiciously by the server? or any other possible explanations? This never happens when accessing any of the sarge installs.
To better describe the scenario I work in a small office with 3 people (all windows xp workstations) on a private lan all going out through a single linux box acting as our gateway/nat to the dmz. My machine is also running a secondary public network to the dmz.
On the server side I have about 6 debain servers behind a single router at a data center, two of which have fresh debian etch installs on them, the rest are all sarge installs.
Seemingly randomly, these two etch servers become unreachable directly and the only way I've found I can get in is by first ssh'ing into one of the sarge machines and then into the etch through the LAN. The problem will go away by itself, but the time it takes to go away varies from 1-15 minutes. The really weird thing about it is when this happens I can grab one of my co-workers and have them hit the machine from their computer and they get in no problems. That says to me there are two possibilities 1) my machine is blocking me or 2) the etch machine is temporarily blocking a specific ip. All of the sarge machines remain accessible.
I turned on windows firewall logging and see nothing related to this. I even turned the windows firewall off, same problem. I have had other remote clients report this issue also, so I know it is not just affecting my machine.
It is almost like the etch machines are making an incorrect determination that my requests are malicious and it's temporarily blocking me, but there's nothing to back this up in the logs. Could running dual nics in my windows xp machine (one for the private lan and one for a public interface) be affecting how outbound traffic is routed from my machine and in turn create a scenario that might be looked at suspiciously by the server? or any other possible explanations? This never happens when accessing any of the sarge installs.
[ Parent | Reply to this comment ]
Install tcpspy on one of the Etch systems you wish to troubleshoot connection issues on and see what tcpspy says -- by default it will "log" all connection attempts. Also, is the Windows Domain providing DHCP or DNS services? On my network here I have an Win2k Domain controller and it provides DNS for all our systems which includes three Debian Etch one Lenny and one Ubuntu Hardy server edition system. All work great.
The *only* time I seen any connection "weirdness" on the Linux boxes is with the crappy DNS services from my old Win2k server.
So, all I am saying is the issue *might* not be the Etch systems.
http://youve-reached-the.endoftheinternet.org/
The *only* time I seen any connection "weirdness" on the Linux boxes is with the crappy DNS services from my old Win2k server.
So, all I am saying is the issue *might* not be the Etch systems.
http://youve-reached-the.endoftheinternet.org/
[ Parent | Reply to this comment ]
Sounds like a name resolution, or routing issue.
Along side comment to monitor what is happening Etch side, I'd suggest you check the Windows side, and the ARP layer on Windows when a problem occurs.
Are you using reverse DNS (i.e. hosts.allow)?
What connections precisely are blocked, I'm guessing from description the Windows machines, so if something claiming to be the Etch box?
Along side comment to monitor what is happening Etch side, I'd suggest you check the Windows side, and the ARP layer on Windows when a problem occurs.
Are you using reverse DNS (i.e. hosts.allow)?
What connections precisely are blocked, I'm guessing from description the Windows machines, so if something claiming to be the Etch box?
[ Parent | Reply to this comment ]