The problem: everything is fine on the network, except every once in a while, all https times out for all the hosts on the network. After a few minutes it goes back to being near-instant for several hours.
The details:
I'm running an Ubuntu Server 12.04 with 2 NICS:
- NIC 1 is WAN, dhcp from cable modem
- NIC 2 is LAN, 192.168.0.1 connected to a router's WAN port 192.168.0.2
- All iptables chains have accept policies until I get things working
- All traffic from 192.168.0.0/16 is masqueraded from to the WAN port
- All forwarding from 192.168.0.0/16 is accepted
- All forwarding to 192.168.0.0/16 is accepted if established or related
- Same three rules above for 10.0.0.0/16 because I've been testing out other configurations
The router: Asus rt-n56u
- Everything on the LAN is DHCP within 10.0.0.0/24 (2.4ghz,5ghz and LAN ports)
- NAT from the 10.0.0.1 Gateway out to 192.168.0.1 through the WAN port
- No static routing configured)
- The built-in firewall is disabled for now
Below you'll find my /etc/network/interfaces,iptables settings and ifconfig. Please let me know if any other information would be helpful.
###############################################################
/etc/network/interfaces:
#connects to the cable modem
auto WAN
iface WAN inet dhcp
#connects to the LAN router
auto LAN
iface LAN inet static
address 192.168.0.1
network 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.255
#loopback interface
auto lo
iface lo inet loopback
###############################################################
iptables rules:
#I've set all the chains to accept. Once I get everything working, I'll implement a whitelist.
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
#turn on NAT for /16 subnet by mangling with the MASQUERADE module
iptables --table nat -A POSTROUTING -s 192.168.0.0/16 -o WAN -j MASQUERADE
iptables --table nat -A POSTROUTING -s 10.0.0.0/16 -o WAN -j MASQUERADE
#allow all traffic from the /16 subnet to WAN
iptables -A FORWARD -s 192.168.0.0/16 -o WAN -j ACCEPT
iptables -A FORWARD -s 10.0.0.0/16 -i LAN -o WAN -j ACCEPT
#allow traffic from the WAN to the /16 subnet if a connection was established b$
iptables -A FORWARD -d 192.168.0.0/16 -m state --state ESTABLISHED,RELATED -i WAN -j ACCEPT
iptables -A FORWARD -d 10.0.0.0/16 -m state --state ESTABLISHED,RELATED -i WAN -j ACCEPT
#drop packets that attempt to spoof source LAN IPs
iptables -A INPUT -i WAN -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i WAN -s 10.0.0.0/8 -j DROP
###############################################################
ifconfig:
LAN Link encap:Ethernet HWaddr 00:22:4d:a1:5d:42
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::222:4dff:fea1:5d42/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:53737 errors:0 dropped:0 overruns:0 frame:0
TX packets:136493 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:8626679 (8.6 MB) TX bytes:178113059 (178.1 MB)
Interrupt:17 Memory:d0020000-d0040000
WAN Link encap:Ethernet HWaddr 00:22:4d:a1:5d:3e
inet addr:XXX.XXX.XXX.XXX Bcast:255.255.255.255 Mask:255.255.255.224
(external IP sensored)
UP BROADCAST RUNNING MULTICAST MTU:576 Metric:1
RX packets:142317 errors:0 dropped:0 overruns:0 frame:0
TX packets:54748 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:178555294 (178.5 MB) TX bytes:8369828 (8.3 MB)
Interrupt:16 Memory:d0120000-d0140000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:18 errors:0 dropped:0 overruns:0 frame:0
TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1474 (1.4 KB) TX bytes:1474 (1.4 KB)
Any suggestions would be very much appreciated. Thank you in advance.
