Discussion:
[Shorewall-users] How configure my firewall to execute netperf ? I use shorewall (iptable firewall) on Debian
Klein Stéphane
2010-08-14 19:58:58 UTC
Permalink
Hi,

I've two computers :
* A : it's a server with a firewall
* B : a computer on internet

I've installed netserver on host A.
I use netperf on host B.

On host B, I launch :

$ netperf -H host_A_address_IP

If I stop the firewall on host A, all work great.
It isn't work when firewall is enabled.

In filewall rules, I've opened default netserver port : 12865

/etc/shorewall/rules
ACCEPT net $FW tcp 12865

host A have full access to internet.

/etc/shorewall/policy
$FW net ACCEPT

Where is the problem ? Can you help me ?

It's exactly the same issue than
http://www.archivum.info/netfilter/2003-03/00360/iptables-config-for-netperf.html

There are no answer to this last question.

Other information : host A is a Debian and Firewall is configured with
Shorewall

I've also posted this question on netperf mailing list :
http://www.netperf.org/pipermail/netperf-talk/2010-August/000757.html

Thanks for your help.
Regards,
Stephane
--
Stéphane Klein<***@harobed.org>
blog: http://stephane-klein.info
Twitter: http://twitter.com/klein_stephane
pro: http://www.is-webdesign.com
Tom Eastep
2010-08-14 20:41:55 UTC
Permalink
Post by Klein Stéphane
Hi,
* A : it's a server with a firewall
* B : a computer on internet
I've installed netserver on host A.
I use netperf on host B.
$ netperf -H host_A_address_IP
If I stop the firewall on host A, all work great.
It isn't work when firewall is enabled.
In filewall rules, I've opened default netserver port : 12865
/etc/shorewall/rules
ACCEPT net $FW tcp 12865
host A have full access to internet.
/etc/shorewall/policy
$FW net ACCEPT
Where is the problem ? Can you help me ?
Look at your log.

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Klein Stéphane
2010-08-14 21:01:53 UTC
Permalink
Post by Tom Eastep
Post by Klein Stéphane
Hi,
* A : it's a server with a firewall
* B : a computer on internet
I've installed netserver on host A.
I use netperf on host B.
$ netperf -H host_A_address_IP
If I stop the firewall on host A, all work great.
It isn't work when firewall is enabled.
In filewall rules, I've opened default netserver port : 12865
/etc/shorewall/rules
ACCEPT net $FW tcp 12865
host A have full access to internet.
/etc/shorewall/policy
$FW net ACCEPT
Where is the problem ? Can you help me ?
Look at your log.
-Tom
This is my log :

Aug 14 22:57:55 gw kernel: [18066.388731] Shorewall:net2fw:DROP:IN=eth0
OUT= MAC=00:13:d3:9e:3b:c2:00:24:23:00:7a:2d:08:00 SRC=192.168.1.10
DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=642 DF PROTO=TCP
SPT=56536 DPT=58042 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 14 22:57:58 gw kernel: [18069.394144] Shorewall:net2fw:DROP:IN=eth0
OUT= MAC=00:13:d3:9e:3b:c2:00:24:23:00:7a:2d:08:00 SRC=192.168.1.10
DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=643 DF PROTO=TCP
SPT=56536 DPT=58042 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 14 22:58:04 gw kernel: [18075.818119] Shorewall:net2fw:DROP:IN=eth0
OUT= MAC=00:13:d3:9e:3b:c2:00:24:23:00:7a:2d:08:00 SRC=192.168.1.10
DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=644 DF PROTO=TCP
SPT=56536 DPT=58042 WINDOW=5840 RES=0x00 SYN URGP=0

I don't understand : all connection from FW to net are allowed. Here
this connections are dropped !
An idea ?

Regards,
Stephane
--
Stéphane Klein<***@harobed.org>
blog: http://stephane-klein.info
Twitter: http://twitter.com/klein_stephane
pro: http://www.is-webdesign.com
Tom Eastep
2010-08-14 21:27:41 UTC
Permalink
Post by Klein Stéphane
Post by Tom Eastep
Post by Klein Stéphane
Hi,
* A : it's a server with a firewall
* B : a computer on internet
I've installed netserver on host A.
I use netperf on host B.
$ netperf -H host_A_address_IP
If I stop the firewall on host A, all work great.
It isn't work when firewall is enabled.
In filewall rules, I've opened default netserver port : 12865
/etc/shorewall/rules
ACCEPT net $FW tcp 12865
host A have full access to internet.
/etc/shorewall/policy
$FW net ACCEPT
Where is the problem ? Can you help me ?
Look at your log.
-Tom
Aug 14 22:57:55 gw kernel: [18066.388731] Shorewall:net2fw:DROP:IN=eth0
OUT= MAC=00:13:d3:9e:3b:c2:00:24:23:00:7a:2d:08:00 SRC=192.168.1.10
DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=642 DF PROTO=TCP
SPT=56536 DPT=58042 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 14 22:57:58 gw kernel: [18069.394144] Shorewall:net2fw:DROP:IN=eth0
OUT= MAC=00:13:d3:9e:3b:c2:00:24:23:00:7a:2d:08:00 SRC=192.168.1.10
DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=643 DF PROTO=TCP
SPT=56536 DPT=58042 WINDOW=5840 RES=0x00 SYN URGP=0
Aug 14 22:58:04 gw kernel: [18075.818119] Shorewall:net2fw:DROP:IN=eth0
OUT= MAC=00:13:d3:9e:3b:c2:00:24:23:00:7a:2d:08:00 SRC=192.168.1.10
DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=644 DF PROTO=TCP
SPT=56536 DPT=58042 WINDOW=5840 RES=0x00 SYN URGP=0
I don't understand : all connection from FW to net are allowed. Here
this connections are dropped !
An idea ?
You need to consult Shorewall FAQ 17. Those are INCOMING packets
(IN=eth0 OUT=) for TCP port 58042 which your firewall is obviously blocking.

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Keith Edmunds
2010-08-14 21:15:24 UTC
Permalink
Post by Klein Stéphane
Aug 14 22:58:04 gw kernel: [18075.818119] Shorewall:net2fw:DROP:IN=eth0
OUT= MAC=00:13:d3:9e:3b:c2:00:24:23:00:7a:2d:08:00 SRC=192.168.1.10
DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=644 DF PROTO=TCP
SPT=56536 DPT=58042 WINDOW=5840 RES=0x00 SYN URGP=0
I don't understand : all connection from FW to net are allowed. Here
this connections are dropped !
The connection being dropped is from the net to the firewall, not FW to
net.

In your earlier posting, you allowed access to port 12865. The destination
port above is 58042.

You might want to check over your configuration.
Stéphane Klein
2010-08-18 19:53:50 UTC
Permalink
Post by Klein Stéphane
Hi,
* A : it's a server with a firewall
* B : an computer on internet
I've installed netserver on host A.
I use netperf on host B.
$ netperf -H host_A_address_IP
If I stop the firewall on host A, all work great.
It isn't work when firewall is enabled.
In filewall rules, I've opened default netserver port : 12865
host A have full access to internet.
Where is the problem ? Can you help me ?
It's exactly the same issue than
http://www.archivum.info/netfilter/2003-03/00360/iptables-config-for-netperf.html
There are no answer to this last question.
Other information : host A is a Debian and Firewall is configured
with Shorewall
Thanks for your help.
Regards,
Stephane
The normal flow of a netperf test is that netperf establishes a
control connection to port 12865 on the system running netserver, then
passes setup information to the netserver via the control connection.
The netserver then does some setup and passes further information back
to netperf over the control connection - in particular the port number
for the "data" connection - and then netperf connects to netserver at
that port number. Netperf is always the side initiating connections.
Now, there is a way to get netperf to use fixed port numbers for the
data connection - there should be something about that in either the
http://www.netperf.org/svn/netperf2/tags/netperf-2.4.5/doc/netperf.html
where the test-specific -H and -L options are discussed.
happy benchmarking,
Thanks, with your answer, I found the solution.

On my firewall (shorewall), I defined this rules (/etc/shorewall/rules) :

ACCEPT net $FW tcp 12865
ACCEPT net $FW tcp 12866

next on my external host (net), I do :

$ netperf -H 192.168.1.14 -p 12865 -t TCP_STREAM -- -P 12866

This work great !

Regards,
Stephane
--
Stéphane Klein<***@harobed.org>
blog: http://stephane-klein.info
Twitter: http://twitter.com/klein_stephane
pro: http://www.is-webdesign.com
Loading...