Linode.com Forum

[dswartz]

Since verizon blocks port 80 inbound on their broadband connections, I thought I'd use port 80 on my linode and forward it through the openvpn tunnel to my home system. The iptables config was fairly simple (possibly too much so). I used DNAT to push packets arriving on eth0 into tun0, rewriting the destination to the private IP of the webserver at home. I also used SNAT to rewrite the source IP to the linode's tun0 IP so the return packets know where to go. Works fine (at first.) I use a webmail application which periodically refreshes the screen, and I noticed that after awhile (10 minutes or so?) there would be an error page the browser put up "Connection timed out". An attempt to connect to port 80 from an external shell account would hang. After awhile longer, it would just start working again. I don't think it's a conntrack issue, since this also happens for new connection attempts. Any ideas where to look? I can post my iptables rules if needed...

[dswartz]

This is a real bummer. I caught it doing it just now, so I did a grep for dport=80 on the linode and saw:

tcp 6 114 SYN_SENT src=A.B.C.D dst=P.Q.R.S sport=32899 dport=80 packets=2 bytes=96 [UNREPLIED] src=10.8.0.2 dst=10.8.0.1 sport=80 dport=32899 packets=0 bytes=0 mark=0 secmark=0 use=1

I don't have it in my cut&paste buffer, but on the real server (at the other end of the openvpn tunnel), the matching entry showed up as FIN_WAIT.

Update: I was running a script that connects on port 80 and then disconnects. I tried running two at the same time, and when the freeze happened, both processes were stuck, and doing cat on the conntrack pseudofile, showed two entries in SYN_SENT state. I'm mystified as to why one entry can get stuck, but even more mystified as to why this would prevent any new connections on that port.