[CentOS] CentOS based router dropping connections

Jesse Cantara jesse_cantara at esupport.com
Fri Jul 20 16:29:20 UTC 2007

Hi Bob,

When I was on the router testing from there, the IP I was using was the 
private IP.

That's not a big concern of mine though, I'm aware that 
locally-generated traffic won't be "forwarded" correctly.

The issue I'm having is that external traffic is being forwarded 
properly, BUT that it drops the connection occasionally. It's not 
consistent (maybe 2 out of 5 downloads from the internet through the 
router to the webserver will drop), and the connections are being made, 
so it's not a fundamental configuration issue. It's something more 
sneaky. I'm thinking that there's something in the kernel or network 
driver that isn't functioning properly, or maybe a buffer that is 
becoming full and abandoning the connection?

The part I added about connecting to the webserver from the router was 
just to prove that I had tested that the connection at least physically 
works like that, when taking the router out of the equation.


Bob Chiodini wrote:
> Jesse Cantara wrote:
>> Hello,
>> I am trying to figure out a problem I'm having using CentOS on a 
>> machine as a router. The short story is: any traffic routed through 
>> the router seems to get disconnected at random occasionally.
>> The hardware setup is:
>> I have two switches, the router sits between them, the webserver on 
>> the LAN switch.
>> The machine I'm using for the router is a Dell 860 1U rackmount with 
>> two NICs, one NIC on the internet, one NIC on the LAN.
>> The routing setup is:
>> I'm using IPTABLES for routing, with the following command:
>> iptables -t nat -A PREROUTING -p tcp -m tcp -i eth1 --dport 6680 -j 
>> DNAT --to
>> Basically, I'm forwarding port 6680 on to the webserver (.10) on the LAN.
>> What I have tested so far:
>> If I'm at the router, I can download files from the webserver just 
>> fine, so the webserver setup and physical connection is OK.
>> If I'm at the router, I can download files from the internet just 
>> fine, so the physical connection to the outside is OK as well.
>> If I'm on the outside of the router (on the internet) I can download 
>> files directly from the router just fine.
>> The issue is when I try to download a file from the webserver via the 
>> router (port 6680). It will work sometimes, but other times it will 
>> randomly disconnect me, at random points during the download.
>> Watching the traffic on a packet-sniffer shows that right before the 
>> download fails, my client computer trying to download the file keeps 
>> resending "ACK" messages, the router keeps sending the next sequence 
>> of packets, and eventually the router sends a bunch of "RST" packets.
>> There aren't any strange messages in /var/log/messages or dmesg in 
>> either the router or the webserver
>> I need some help diagnosing this problem. Here's some info about the 
>> router:
>> CentOS 5
>> latest kernel 2.6.18-8.1.8.el5
>> iptables v1.3.5
>> I've tried testing as much as I can before asking for help, but I'm at 
>> the end of what I know to try. Any leads as to where to look to 
>> diagnose, or what might cause this would help.
>> Thanks in advance,
>> -Jesse
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
> Jesse,
> What IP address are you using when you try to access the webserver (via 
> port 6680) from the router, the public or the private?
> If I read the iptables man page correctly, I would not expect the router 
> to mangle the packets generated locally for the PREROUTING table since 
> the packets are not "really" arriving at the eth1 interface.  Maybe the 
> problem is that some packets are getting through at all.  What happens 
> if you try to access the webserver from a machine on the LAN, but using 
> the public IP address and port 6680?
> Why not use port 80 and the private IP when accessing the webserver from 
> the router, and anywhere else in the LAN, and address the webserver via 
> 6680 when coming in from the internet.  If I read your test scenarios 
> correctly, both of those conditions work correctly and I assume that is 
> your intent.
> Bob...
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

More information about the CentOS mailing list