# Connection throught iptables NAT keep disconnects after

## kamracik

Helo,

I have a problem with iptables NAT, with it host gives internet acces to guest (virtual server).

Got rules like:

*nat

-A PREROUTING -d 10.0.2.41 -j DNAT --to-destination 179.16.15.2

-A POSTROUTING -s 179.16.15.0/24 -j SNAT --to-source 10.0.2.41

*filter

-A INPUT -i tap0 -s 179.16.15.0/24 -d 10.0.0.0/8 -j DROP

-A INPUT -i tap0 -s 179.16.15.0/24 -d 179.16.15.1 -j DROP

-A INPUT -i tap0 -s 179.16.15.0/24 -j ACCEPT

-A INPUT -d 179.16.15.2 -j ACCEPT

Nat is between virtual interface eth1:1 and tap0, don't ask why but it's working

that way, also I have tried with physical interfaces but with same results.

Everything is working except that I'm disconnected from guest console (ssh) after long output like links, ls -lha or even mc.

Randomly i can use long output but rarly.

syslog and dmesg are clean, similar tcpdump does show nothing.

I found same problem here:

http://serverfault.com/questions/255183/iptables-forwarding-frequently-disconnecting/338093#338093

But without solution.

----------

## chiefbag

Try the following setting on the client machine.

```
vi /etc/ssh/sshd_config
```

```
 ClientAliveInterval 60
```

----------

## Hu

Please post the output of iptables-save -c ; /sbin/ip a; /sbin/ip r from the host and guest.

----------

## kamracik

Traffic flow looks like

Host dedicated virtual interface 10.0.2.41/24

Host tap interface 179.16.15.1/24

Guest interface 179.16.15.2/24

->10.0.2.41->179.16.15.2

Iptables rules from host, guest for purpose of this problem doesn't have any kind of rule set.

Below i change ports to 1234 for security reasons and masks not relative to problem ips with description in comments

```

# Generated by iptables-save v1.3.5 on Wed Dec  7 10:11:34 2011

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [4203:328045]

:RH-Firewall-1-INPUT - [0:0]

[5544:973592] -A INPUT -j RH-Firewall-1-INPUT

[95135:76772406] -A FORWARD -j RH-Firewall-1-INPUT

[1675:96632] -A RH-Firewall-1-INPUT -i lo -j ACCEPT

[0:0] -A RH-Firewall-1-INPUT -s 179.16.15.0/255.255.255.0 -d some.local.network.0/255.0.0.0 -i tap0 -j DROP

[0:0] -A RH-Firewall-1-INPUT -s 179.16.15.0/255.255.255.0 -d some.another.local.network/255.255.255.0 -i tap0 -j DROP

[6:360] -A RH-Firewall-1-INPUT -s 179.16.15.0/255.255.255.0 -d 179.16.15.1 -i tap0 -j DROP

[0:0] -A RH-Firewall-1-INPUT -s 179.16.15.0/255.255.255.0 -d ext.ernal.public.ip -i tap0 -j ACCEPT

[0:0] -A RH-Firewall-1-INPUT -s 179.16.15.0/255.255.255.0 -d external.restricted.public.network/255.255.255.some -i tap0 -j DROP  #same network as allowed IP above

[36012:2831929] -A RH-Firewall-1-INPUT -s 179.16.15.0/255.255.255.0 -i tap0 -j ACCEPT

[59123:73940477] -A RH-Firewall-1-INPUT -d 179.16.15.2 -j ACCEPT

[0:0] -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT

[0:0] -A RH-Firewall-1-INPUT -p esp -j ACCEPT

[0:0] -A RH-Firewall-1-INPUT -p ah -j ACCEPT

[0:0] -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 1234 -j ACCEPT

[0:0] -A RH-Firewall-1-INPUT -p udp -m udp --dport 1234 -j ACCEPT

[0:0] -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1234 -j ACCEPT

[2619:836676] -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

[4:244] -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

[0:0] -A RH-Firewall-1-INPUT -s some.lo.cal.ip -p tcp -m state --state NEW -m tcp --dport 1234 -j ACCEPT  #Few exacly like this rules

[1240:39680] -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT

# Completed on Wed Dec  7 10:11:34 2011

# Generated by iptables-save v1.3.5 on Wed Dec  7 10:11:34 2011

*nat

:PREROUTING ACCEPT [503664:120975436]

:POSTROUTING ACCEPT [2568:135733]

:OUTPUT ACCEPT [2068:107075]

[505:28910] -A PREROUTING -d 10.0.2.41 -j DNAT --to-destination 179.16.15.2

[1440:111042] -A POSTROUTING -s 179.16.15.0/255.255.255.0 -j SNAT --to-source 10.0.2.41

COMMIT

# Completed on Wed Dec  7 10:11:34 2011

```

----------

