Re: Update time for beacon

To: NLANR Multicast Beacon <beacon@dast.nlanr.net>
Subject: Re: Update time for beacon
From: Mitch Kutzko <mitch@ncsa.uiuc.edu>
Date: Wed, 29 Sep 2004 16:50:04 -0500
Content-type: text/plain; charset="us-ascii"
In-reply-to: <415B2561.5020709@int-evry.fr>
References: <3.0.5.32.20040929154103.03a8e4f8@pop.ncsa.uiuc.edu><3.0.5.32.20040929150638.03a8e4f8@pop.ncsa.uiuc.edu><3.0.5.32.20040929150638.03a8e4f8@pop.ncsa.uiuc.edu><3.0.5.32.20040929154103.03a8e4f8@pop.ncsa.uiuc.edu>
Reply-to: Mitch Kutzko <mitch@ncsa.uiuc.edu>
Sender: owner-beacon@dast.nlanr.net

> >Hi, Jehan -- I suspect the problem you're dealing with now is firewall
> >related.  
> >
> >The TCP bug appears to cause the Central Server to fall over periodically
> >(perhaps once in three or four days), but other than the ip_conntrack table
> >on the Central Server overflowing and locking up further connections (to
> >the central server), everything else appears to run fine.  The "regular"
> >clients don't appear to be affected, as you can see from their uptime
entries.
> >
> >Hope this helps!
> >  
> >
> Yes, I can now surrely concentrate on firewall rules .. but what would 
> really help me would be a sample of your centralserver iptables rules 
> that allow beacon traffic to pass through .
> if you can send them to me, i would really appreciate and hopefully get 
> my beacon server run correctly finnally ...
> 
> thanks.

Hi, Jehan -- Here's the information you wanted.  First is the output of
"pfilter chains", and the second is the output of "iptables --list".

Hope this helps!

Mitch

------------------------------
pfilter chains
------------------------------


table filter:

Chain INPUT (policy ACCEPT 1 packets, 223 bytes)
 pkts bytes target     prot opt in     out     source
destination         
 132K   26M ACCEPT     all  --  any    any     anywhere
anywhere            state RELATED,ESTABLISHED 
2902K  224M pfilter    all  --  any    any     anywhere
anywhere            

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  any    any     anywhere
anywhere            state RELATED,ESTABLISHED 
    0     0 pfilter    all  --  any    any     anywhere
anywhere            

Chain OUTPUT (policy ACCEPT 187K packets, 167M bytes)
 pkts bytes target     prot opt in     out     source
destination         

Chain pfilter (2 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 REJECT     all  --  eth0   any     anywhere
loopback-net.ncsa.uiuc.edu/8 reject-with icmp-port-unreachable 
    2   144 ACCEPT     all  --  lo     any     anywhere
anywhere            
    2    96 ACCEPT     tcp  --  any    any     anywhere
morollan.ncsa.uiuc.edu state NEW tcp dpt:ssh 
 1035 55652 ACCEPT     tcp  --  any    any     anywhere
morollan.ncsa.uiuc.edu state NEW tcp dpt:http 
 2789  170K ACCEPT     tcp  --  eth0   any     anywhere
morollan.ncsa.uiuc.edu state NEW tcp dpts:1024:65535 
    0     0 ACCEPT     icmp --  eth0   any
141.142.000.000-net.ncsa.uiuc.edu/16  morollan.ncsa.uiuc.edu state NEW icmp
echo-request 
    0     0 ACCEPT     tcp  --  any    any     anywhere
morollan.ncsa.uiuc.edu state NEW tcp dpt:tproxy 
    0     0 ACCEPT     udp  --  any    any     anywhere
morollan.ncsa.uiuc.edu state NEW udp dpt:10002 
    0     0 ACCEPT     udp  --  any    any     anywhere
morollan.ncsa.uiuc.edu state NEW udp dpt:10003 
    0     0 ACCEPT     tcp  --  any    any     anywhere
morollan.ncsa.uiuc.edu state NEW tcp dpt:10004 
2891K  223M ACCEPT     all  --  eth0   any     anywhere
BASE-ADDRESS.MCAST.NET/4 state NEW 
    0     0 DROP       all  --  eth0   any     anywhere
ALL-SYSTEMS.MCAST.NET 
 7246  890K REJECT     all  --  any    any     anywhere
anywhere            reject-with icmp-port-unreachable 

table mangle:

Chain PREROUTING (policy ACCEPT 3048K packets, 252M bytes)
 pkts bytes target     prot opt in     out     source
destination         

Chain INPUT (policy ACCEPT 3034K packets, 250M bytes)
 pkts bytes target     prot opt in     out     source
destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination         

Chain OUTPUT (policy ACCEPT 187K packets, 167M bytes)
 pkts bytes target     prot opt in     out     source
destination         

Chain POSTROUTING (policy ACCEPT 194K packets, 169M bytes)
 pkts bytes target     prot opt in     out     source
destination         

table nat:

Chain PREROUTING (policy ACCEPT 22603 packets, 1730K bytes)
 pkts bytes target     prot opt in     out     source
destination         

Chain POSTROUTING (policy ACCEPT 71 packets, 6732 bytes)
 pkts bytes target     prot opt in     out     source
destination         

Chain OUTPUT (policy ACCEPT 71 packets, 6732 bytes)
 pkts bytes target     prot opt in     out     source
destination         






------------------------------
iptables --list
------------------------------



Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED 
pfilter    all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED 
pfilter    all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain pfilter (2 references)
target     prot opt source               destination         
REJECT     all  --  anywhere             loopback-net.ncsa.uiuc.edu/8
reject-with icmp-port-unreachable 
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             morollan.ncsa.uiuc.edu state NEW
tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             morollan.ncsa.uiuc.edu state NEW
tcp dpt:http 
ACCEPT     tcp  --  anywhere             morollan.ncsa.uiuc.edu state NEW
tcp dpts:1024:65535 
ACCEPT     icmp --  141.142.000.000-net.ncsa.uiuc.edu/16
morollan.ncsa.uiuc.edu state NEW icmp echo-request 
ACCEPT     tcp  --  anywhere             morollan.ncsa.uiuc.edu state NEW
tcp dpt:tproxy 
ACCEPT     udp  --  anywhere             morollan.ncsa.uiuc.edu state NEW
udp dpt:10002 
ACCEPT     udp  --  anywhere             morollan.ncsa.uiuc.edu state NEW
udp dpt:10003 
ACCEPT     tcp  --  anywhere             morollan.ncsa.uiuc.edu state NEW
tcp dpt:10004 
ACCEPT     all  --  anywhere             BASE-ADDRESS.MCAST.NET/4 state NEW 
DROP       all  --  anywhere             ALL-SYSTEMS.MCAST.NET 
REJECT     all  --  anywhere             anywhere            reject-with
icmp-port-unreachable 


--
Mitch Kutzko | mitch@dast.nlanr.net | mitch@ncsa.uiuc.edu | 217-333-1199
Project: http://dast.nlanr.net/  |  Personal: http://hobbes.ncsa.uiuc.edu/

References:
- Re: Update time for beacon
  - From: Mitch Kutzko
- Re: Update time for beacon
  - From: Mitch Kutzko
- Re: Update time for beacon
  - From: jehan procaccia

Prev by Date: Re: Update time for beacon
Previous by thread: Re: Update time for beacon

Other Mailing lists | Author Index | Date Index | Subject Index | Thread Index