-
routing problem ?
hi all,
I have a firewall with 3 NICs, 1 to local network, 1 to local DMZ, 1 to the public.
eth0 1.1.1.1 (public ip 1)
eth0:1 1.1.1.2 (public ip 2)
eth0:2 1.1.1.3 (public ip 3)
eth1 192.168.0.100
eth1:1 192.168.0.106
eth2 172.16.0.1
[root@fw root]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
1.1.1.0 * 255.255.255.248 U 0 0 0 eth0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
172.16.0.0 * 255.255.0.0 U 0 0 0 eth2
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 1.1.1.1 0.0.0.0 UG 0 0 0 eth0
default 1.1.1.1 0.0.0.0 UG 1 0 0 eth0
default 1.1.1.1 0.0.0.0 UG 1 0 0 eth0
now: i tried to sftp something from the firewall to a host in DMZ (say 172.16.0.3) the speed is somehow limited by the speed of my ADSL, i.e. the speed is something 50KB/s instead of 100Mbps like what it "should" be.
any idea please?
thanks
-
This sounds in a sence kind of strange.
What speed do you reach if you try to "sftp" from the DMZ host into the firewall?
Your firewall, did you just use "simple" iptables settings or have you used some pre-compiled firewall? Because some "free" firewalls have implemented some simple traffic-shaping/bandwith controlling. You should check that out. And, do a extra check that both your FW and your DMZ host are setup on the same speed and duplex.
-
hi swemic,
first of all, thanks for your reply, i did a little experiment like what you said and here is what i got: (this is done from the machine in DMZ)
Uploading nullfile to /tmp/nullfile
100% 17MB 421.0KB/s 00:42
Fetching /tmp/nullfile to nullfile
1% 224KB 50.9KB/s 05:42 ETA
This doesn't look like two machines linked with a 100Mbps switch, because an sftp between 172.16.0.x gives:
sftp> put nf
Uploading nf to /tmp/nf
nf 100% 7680KB 3.8MB/s 00:02
sftp>
btw, the problem occurs between firewall (192.168.0.100 / 172.16.0.1) and 172.16.0.x, and the firewall script, ya, here it is:
Code:
IPT=/sbin/iptables
$IPT -t nat -F POSTROUTING
ISP_NIC=eth0
PRIV_NIC=eth1
DMZ_NIC=eth2
DMZ="172.16.0.2 172.16.0.3"
#some local machines are allowed to go thru the firewall
PRIV="192.168.0.102 192.168.0.106 192.168.0.131 192.168.0.230"
for NET in $DMZ; do
$IPT -t nat -A POSTROUTING -s $NET -o $ISP_NIC -j MASQUERADE
done
for NET in $PRIV; do
$IPT -t nat -A POSTROUTING -s $NET -o $ISP_NIC -j MASQUERADE
done
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPT -t nat -F PREROUTING
$IPT -t nat -A PREROUTING -j DNAT -i $ISP_NIC -d 1.1.1.2 -p tcp --dport 12673 --to 172.16.0.1:22
$IPT -t nat -A PREROUTING -j DNAT -i $ISP_NIC -d 1.1.1.2 -p tcp --dport 81 --to 172.16.0.2:81
$IPT -t nat -A PREROUTING -j DNAT -i $ISP_NIC -p tcp -d 1.1.1.2 --dport 80 --to 172.16.0.3:80
$IPT -t nat -A PREROUTING -j DNAT -i $ISP_NIC -p tcp --dport 80 --to 172.16.0.2:80
$IPT -t nat -A PREROUTING -j DNAT -i $ISP_NIC -p tcp --dport 22 --to 172.16.0.2:22
$IPT -t nat -A PREROUTING -j DNAT -i $ISP_NIC -p tcp --dport 21 --to 172.16.0.2:21
$IPT -t nat -A PREROUTING -j DNAT -i $ISP_NIC -p udp --dport 21 --to 172.16.0.2:21
$IPT -t nat -A PREROUTING -j DNAT -i $ISP_NIC -p udp --dport 20 --to 172.16.0.2:20
$IPT -t nat -A PREROUTING -j DNAT -i $ISP_NIC -p tcp --dport 7200 --to 172.16.0.2:7200
$IPT -t nat -A PREROUTING -j DNAT -i $ISP_NIC -p tcp --dport 7210 --to 172.16.0.2:7210
$IPT -t nat -A PREROUTING -j DNAT -i $ISP_NIC -p tcp --dport 7777 --to 172.16.0.2:7777
#172.16.0.3 used to be 192.168.0.106, so make firewall listens on 106 and route the traffic to it
$IPT -t nat -A PREROUTING -j DNAT -i $PRIV_NIC -d 192.168.0.106 --to 172.16.0.3
and it is started thru /etc/rc.d/rc.local
thanks again for the help ;)
-
-
Not sure what the problem could be.. I'm about to implement something very similar to this as I run game servers, and need to put them on a DMZ away from my network (this way I don't royally scrwe things up..)
Will let ya know if this works for me or not.
-
hi, thanks for the reply. For your information, the server has been giving me problem recently, in the middle of usage it simply reboots the machine without any notice... ha, guess that's hardware problem...
but later i upgrade it to CentOS 4.1 (minimum version, no X, no compiler, no nothing) with the same network configuration & firewall script, it works the way it should be !!!!
thanks again
