ictdude
21-02-2011, 22:35
Originally Posted by Myatu
Good to use as extra protection...
Problems with server network time outs
Originally Posted by Myatu
Good to use as extra protection...
Myatu
20-02-2011, 13:16
You can limit how often a remote is allowed to connect in a certain timespan. For example:
This will limit connections per IP to 6 per minute to SSH (port 22). If this limit is exceeded, the connection is silently dropped (or rejected if that's your default iptables action).
That's why I asked if you were using this, because you could also do this for ICMP (ping) packets, in which case a ping may appear to never reach your server if it has exceeded this limit. This can make things look as if they're not working properly, while in fact they are ("it's not a bug, it's a feature" )
Code:
-A INPUT -p tcp -m tcp --dport 22 -m limit --limit 6/min -j ACCEPT
That's why I asked if you were using this, because you could also do this for ICMP (ping) packets, in which case a ping may appear to never reach your server if it has exceeded this limit. This can make things look as if they're not working properly, while in fact they are ("it's not a bug, it's a feature" )
ictdude
20-02-2011, 12:44
Originally Posted by Myatu
Then need to check diagnose it... If so i will check this with your suggestion:
use tcpdump -i [INTERFACE] icmp where [INTERFACE] is the actual vethx.x device on the host node (or ethX within the VM); use ifconfig to see them.
Thnx for the fast reply
Myatu
19-02-2011, 13:33
Are you using a firewall, such as Shorewall or plain-vanilla iptables? Check if you have rate limiting enabled then (in Shorewall, you should NOT have this in the policy but in the rules).
As for diagnosing, you can use tcpdump -i [INTERFACE] icmp where [INTERFACE] is the actual vethx.x device on the host node (or ethX within the VM); use ifconfig to see them.
Then a ping should come up as "echo request" (from the origin) and a corresponding "echo reply" (from the receiver). From this you can figure out the origin of the problem (is it not sending or receiving?); sometimes an error message will be given (ie., "host unreachable") which is often a network configuration/routing error, or when there's only a request but no response it'll likely be a rate-limitation (a DROP statement after X amount of requests per X seconds/minutes/hours/etc).
As for diagnosing, you can use tcpdump -i [INTERFACE] icmp where [INTERFACE] is the actual vethx.x device on the host node (or ethX within the VM); use ifconfig to see them.
Then a ping should come up as "echo request" (from the origin) and a corresponding "echo reply" (from the receiver). From this you can figure out the origin of the problem (is it not sending or receiving?); sometimes an error message will be given (ie., "host unreachable") which is often a network configuration/routing error, or when there's only a request but no response it'll likely be a rate-limitation (a DROP statement after X amount of requests per X seconds/minutes/hours/etc).
ictdude
19-02-2011, 00:35
My Proxmox with some hosts looks to have some network problems.
Its not the cpu or disk or ram. Have this lately. Maybe NIC related.
Or network routing. When i ping the Proxmox host and the vm's
OpenVz and KVM. Ping response give reply sometimes time outs.
What is the best way to trouble shoot this ? First reboot and do diagnostics
on hardware ? Is there a command to find out hardware status ?
Who has a answer ?
Its not the cpu or disk or ram. Have this lately. Maybe NIC related.
Or network routing. When i ping the Proxmox host and the vm's
OpenVz and KVM. Ping response give reply sometimes time outs.
What is the best way to trouble shoot this ? First reboot and do diagnostics
on hardware ? Is there a command to find out hardware status ?
Who has a answer ?