Welcome! Log In Create A New Profile

Advanced

Re: Lots of "No route to host" in Nginx error log

March 25, 2010 03:05PM
pacudes Wrote:
-------------------------------------------------------
> Hi,
>
> We have that problem for awhile at our site.
> During the last two days, I investigated it and I
> pretty sure that it is cause by the netfilter
> firewall. Our backend servers are running RHEL5
> and the 'iptables, rule that accept new
> connections from the proxy looks like:
>
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp
> -p tcp -s iii.jjj.kkk.lll --dport 9005 -j ACCEPT
>
> iii.jjj.kkk.lll is the IP address of the proxy
> server.
>
> And the last rule of the chain
> 'RH-Firewall-1-INPUT' is:
>
> -A RH-Firewall-1-INPUT -j REJECT --reject-with
> icmp-host-prohibited
>
> Yesterday I inserted a new rule in between in
> order to log incoming packets from the proxy that
> are going to be rejected. The rule looks like:
>
> -A RH-Firewall-1-INPUT -s iii.jjj.kkk.lll -j LOG
>
> The result was that for each 'No route to host'
> error logged in the error_log file on the proxy
> server, there is a corresponding rejected packet
> logged on one of the backend servers. That means
> that our 'iptables' rules need a little bit of
> tuning.
>
> I thought of two solutions:
>
> 1) Remove the 'state match' test in the ACCEPT
> rule so the new rule looks like:
>
> -A RH-Firewall-1-INPUT -m tcp -p tcp -s
> iii.jjj.kkk.lll --dport 9005 -j ACCEPT
>
> 2) Add a new rule to 'iptables' which issues a
> REJECT with options 'tcp-reset' for the
> problematics packets. I hope that the proxy will
> reissue the request while receiving the RST flag
> from the backend. The rule should be inserted
> just before the last one and it should look like:
>
> -m tcp -p tcp -s iii.jjj.kkk.lll --dport 9005 -j
> REJECT --reject-with tcp-reset
>
> Tonight I will try the solution number 2. If the
> proxy react as I think it will, That will be a
> better solution than the number 1 which I will try
> eventually if the solution number 2 won't work.
>
> Hope that this message will help you.
>
> Sorry for the poor english.
>
> Paul


Hi again,

Finally the solution #2 solves the problem. I just made a last minute modification ( I restrict the rule to the -SYN packet) to the rule in 'iptables'. The right rule looks like this:

-A RH-Firewall-1-INPUT -m tcp -p tcp -s iii.jjj.kkk.lll --dport 9005 --syn -j REJECT --reject-with tcp-reset

Don't forget to adjust the source IP and destination port (-dport) according to your installation.

Regards

Paul
SubjectAuthorPosted

Lots of "No route to host" in Nginx error log

xufengnjuJanuary 05, 2010 09:08PM

Re: Lots of "No route to host" in Nginx error log

Weibin YaoJanuary 05, 2010 09:40PM

Re: Lots of "No route to host" in Nginx error log

任晓磊January 07, 2010 05:16AM

Re: Lots of "No route to host" in Nginx error log

崔玉松February 01, 2010 03:50PM

Re: Lots of "No route to host" in Nginx error log

zhangyun112112March 23, 2010 08:26AM

Re: Lots of "No route to host" in Nginx error log

Cliff WellsMarch 23, 2010 11:56AM

Re: Lots of "No route to host" in Nginx error log

pacudesMarch 24, 2010 07:21PM

Re: Lots of "No route to host" in Nginx error log

pacudesMarch 25, 2010 03:05PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 97
Record Number of Users: 7 on March 06, 2014
Record Number of Guests: 229 on August 01, 2014
Powered by nginx    Powered by FreeBSD    PHP Powered    Powered by Percona     ipv6 ready