Welcome! Log In Create A New Profile

Re: Lots of "No route to host" in Nginx error log

Forum List Message List New Topic Print View

pacudes

March 25, 2010 03:05PM

Registered: 14 years ago
Posts: 2

pacudes Wrote:
-------------------------------------------------------
> Hi,
>
> We have that problem for awhile at our site.
> During the last two days, I investigated it and I
> pretty sure that it is cause by the netfilter
> firewall. Our backend servers are running RHEL5
> and the 'iptables, rule that accept new
> connections from the proxy looks like:
>
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp
> -p tcp -s iii.jjj.kkk.lll --dport 9005 -j ACCEPT
>
> iii.jjj.kkk.lll is the IP address of the proxy
> server.
>
> And the last rule of the chain
> 'RH-Firewall-1-INPUT' is:
>
> -A RH-Firewall-1-INPUT -j REJECT --reject-with
> icmp-host-prohibited
>
> Yesterday I inserted a new rule in between in
> order to log incoming packets from the proxy that
> are going to be rejected. The rule looks like:
>
> -A RH-Firewall-1-INPUT -s iii.jjj.kkk.lll -j LOG
>
> The result was that for each 'No route to host'
> error logged in the error_log file on the proxy
> server, there is a corresponding rejected packet
> logged on one of the backend servers. That means
> that our 'iptables' rules need a little bit of
> tuning.
>
> I thought of two solutions:
>
> 1) Remove the 'state match' test in the ACCEPT
> rule so the new rule looks like:
>
> -A RH-Firewall-1-INPUT -m tcp -p tcp -s
> iii.jjj.kkk.lll --dport 9005 -j ACCEPT
>
> 2) Add a new rule to 'iptables' which issues a
> REJECT with options 'tcp-reset' for the
> problematics packets. I hope that the proxy will
> reissue the request while receiving the RST flag
> from the backend. The rule should be inserted
> just before the last one and it should look like:
>
> -m tcp -p tcp -s iii.jjj.kkk.lll --dport 9005 -j
> REJECT --reject-with tcp-reset
>
> Tonight I will try the solution number 2. If the
> proxy react as I think it will, That will be a
> better solution than the number 1 which I will try
> eventually if the solution number 2 won't work.
>
> Hope that this message will help you.
>
> Sorry for the poor english.
>
> Paul

Hi again,

Finally the solution #2 solves the problem. I just made a last minute modification ( I restrict the rule to the -SYN packet) to the rule in 'iptables'. The right rule looks like this:

-A RH-Firewall-1-INPUT -m tcp -p tcp -s iii.jjj.kkk.lll --dport 9005 --syn -j REJECT --reject-with tcp-reset

Don't forget to adjust the source IP and destination port (-dport) according to your installation.

Regards

Paul

Reply Quote

RSS

Subject	Author	Posted
Lots of "No route to host" in Nginx error log	xufengnju	January 05, 2010 09:08PM
Re: Lots of "No route to host" in Nginx error log	Weibin Yao	January 05, 2010 09:40PM
Re: Lots of "No route to host" in Nginx error log	任晓磊	January 07, 2010 05:16AM
Re: Lots of "No route to host" in Nginx error log	崔玉松	February 01, 2010 03:50PM
Re: Lots of "No route to host" in Nginx error log	zhangyun112112	March 23, 2010 08:26AM
Re: Lots of "No route to host" in Nginx error log	Cliff Wells	March 23, 2010 11:56AM
Re: Lots of "No route to host" in Nginx error log	pacudes	March 24, 2010 07:21PM
Re: Lots of "No route to host" in Nginx error log	pacudes	March 25, 2010 03:05PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 125

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018