iptables and masquerading - slow to initiate connection

Howdy, all!

I am using iptables on a dual-NIC Mandrake 10 box as a home network
masquerading firewall and DNS server.

In general, everything works (internet name resolution and web
browsing) except that initial response times are very slow - browsing
to sites from the linux box always fail immediately on the first
attempt and I need to click on the reload button, and pages are slow
to respond from my Windows XP workstation behind the firewall.

If I ping a host on the internet from either the firewall or from my
workstation behind the firewall, name resolution is very fast but the
first two ping replies are always lost:

>ping mail.yahoo.com

Pinging login.yahoo.akadns.net [216.109.127.60] with 32 bytes of data:

Request timed out.
Request timed out.
Reply from 216.109.127.60: bytes=32 time=55ms TTL=241
Reply from 216.109.127.60: bytes=32 time=44ms TTL=241

Ping statistics for 216.109.127.60:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 44ms, Maximum = 55ms, Average = 49ms

Any ideas? This is driving me crazy!

Thanks,

Rob

Rob wrote:
> Any ideas? This is driving me crazy!

Depending on how You connect to the internet, You might want to
read about the dynIP patch.

The thing is that on a dial-up connection, the very first packet that
You send out and that initiates the connection does not yet have the
dynamic IP address that Your ISP assigns to You in its sender field.
Therefore, You have to alter that very packet after You got Your IP
and re-send.


Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

jack <(E-Mail Removed)> wrote in message news:<cfq5to$2fl$00$(E-Mail Removed)>...
> Rob wrote:
> > Any ideas? This is driving me crazy!
>
> Depending on how You connect to the internet, You might want to
> read about the dynIP patch.
>
> The thing is that on a dial-up connection, the very first packet that
> You send out and that initiates the connection does not yet have the
> dynamic IP address that Your ISP assigns to You in its sender field.
> Therefore, You have to alter that very packet after You got Your IP
> and re-send.
>
>
> Cheers, Jack.

Jack,

Thanks for the response! But I'm connecting via a cable modem (Roadrunner).

Thanks,

Rob

Howdy again, all! The problem has been resolved!

I found a post describing the same problem with slightly different
symptoms where stopping the ipsec service fixed the connection
performance problem. It worked for me. Just posting this for anyone
else who has threatened his/her linux box recently.

I don't know why the ipsec service is causing a problem, but that's an
issue for another day

Woo hoo!

Rob

Rob wrote:
> Howdy again, all! The problem has been resolved!
>
> I found a post describing the same problem with slightly different
> symptoms where stopping the ipsec service fixed the connection
> performance problem. It worked for me. Just posting this for anyone
> else who has threatened his/her linux box recently.
>
> I don't know why the ipsec service is causing a problem, but that's an
> issue for another day
>
> Woo hoo!

Congratulations...!

Anyways, please send more info. - Others may benefit from Your experi-
ence and later find Your solution via a web-search. - So please post
the information.

BTW, does that cable go with a static IP, or a dynamic one?


Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

jack <(E-Mail Removed)> wrote in message news:<cg35ed$4m7$02$(E-Mail Removed)>...

> Anyways, please send more info. - Others may benefit from Your experi-
> ence and later find Your solution via a web-search. - So please post
> the information.
>
> BTW, does that cable go with a static IP, or a dynamic one?
>
>
> Cheers, Jack.

Good call, Jack. My linux server is directly connected to my cable
modem, and I am assigned a dynamic IP. My internal network interface
has a static private IP address. The server is acting as a DHCP/DNS
server and as my network gateway. I found (after my initial post)
that even with "allow everything" iptables rules, any communication
from my server or from any workstation behind it would be very slow to
respond. When I pinged a host (www.yahoo.com) from my linux server, I
would get an error "connect: resource unavailable" or something
similar, but if I retried five seconds later the ping would work. The
same occurred with web browsing - using the Konqueror web browser, I
would immediately get page not found errors, but if I waited five
seconds and refreshed the page would reload. Pages including lots of
references to images, ads, etc. on other URLs would never successfully
load.

From my WinXP PC behind the firewall, pages would just take about
10-15 seconds before they even started to load, and if I pinged
www.yahoo.com name resolution would be very fast (probably because the
DNS server on my linux server had previously initiated a connection
with my ISP's DNS server) but the first two or three pings would time
out.

I don't know why (possibly because I'm using DHCP for my WAN NIC), but
if I stop ipsec (Freeswan IPSEC VPN server included with Mandrake 10)
all delays vanished. I have not researched this further, since it is
a toy and I haven't found a good, free IPSEC client for 2k/XP anyway
(I have a very low opinion of 2k/XP's existing IPSEC tunnel support).
If anyone knows what the problem is, please post it! I'm curious.

Thanks,

Rob