Announcement

Collapse
No announcement yet.

IPtables

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • IPtables

    I seem to have random issues with IPtables.

    There is an allow rule for port 53 TCP / UDP DNS

    Randomly like once a month, dns lookups keep failing and the only way to resolve is to do a restart of iptables and then it works fine again.

    Anyone else had this issue?

  • #2
    Originally posted by uk26 View Post
    I seem to have random issues with IPtables.

    There is an allow rule for port 53 TCP / UDP DNS

    Randomly like once a month, dns lookups keep failing and the only way to resolve is to do a restart of iptables and then it works fine again.

    Anyone else had this issue?
    Nope, not had anything like that.

    Have you done any troubleshooting to see whereabouts in the rules the packets are being dropped when you run into the problem?

    Is there any kind of pattern for when this occurs?
    GoDaddy are abusing WHC with shill advertising

    Comment


    • #3
      A simple tcp/udp allow shouldn't cause any issues.

      Which OS are you running?
      Anything of interest in the logs around the time DNS fails?
      Can you provide a copy of the rules?

      Comment


      • #4
        Dear Sir / Madam,

        We have investigated your issue and we believe that the problem most likely lies in the connection tracking feature of iptables.

        By default each new flow passing through iptables creates a connection tracking entry. Unfortunately, due to the nature of UDP DNS, this can create an excessively large number of flows very quickly and fill the connection tracking table. This can usually be confirmed by looking in the kernel log while the issue is occurring and observing "connection tracking table full" errors.

        The solution to this, and something that we would recommend in every iptables installation is to disable the connection tracking feature for UDP DNS packets, with rules such as the following:

        Code:
        iptables -t raw -A PREROUTING -p udp -m udp --dport 53 -j NOTRACK
        iptables -t raw -A OUTPUT -p udp -m udp --sport 53 -j NOTRACK
        This configuration will prevent tracking entries being created for UDP DNS packets. Since these will presumably always be allowed in both directions, the connection tracking serves no purpose.

        We hope this will resolve the problem, but if not, please do let us know, and we will shrug our shoulders and stare back blankly.

        Charlie
        Charlie Smurthwaite
        aTech Media - UK Ruby on Rails development specialists
        Sirportly - Powerful customer helpdesk platform

        Company Registration Number: 5523199 VAT Registration Number: GB 868 861 560
        All views expressed in my posts are my own and not those of aTech Media Limited.

        Comment


        • #5
          Got It. I also want to know about it in details.
          https://www.vivaindia.com.mx
          https://www.vivaindia.com.co

          Comment


          • #6
            A) Random means "equal probability of hitting any backend". If you have idle pods it suggests you either don't have a statistically significant number of connections or you're doing client affinity or something to defeat the randomizer.

            B) Round-robin becomes a distributed decision - each node chooses independently of each other node. So to your backend service, it's basically random anyway.

            Anyway, ipvs mode is going GA in 1.11, so please feel free to try it out
            Hope this helps!
            Regards.
            Lewis

            Comment


            • #7
              Originally posted by Lewis-H View Post
              A) Random means "equal probability of hitting any backend". If you have idle pods it suggests you either don't have a statistically significant number of connections or you're doing client affinity or something to defeat the randomizer.

              B) Round-robin becomes a distributed decision - each node chooses independently of each other node. So to your backend service, it's basically random anyway.

              Anyway, ipvs mode is going GA in 1.11, so please feel free to try it out
              Hope this helps!
              Regards.
              Lewis
              Good work digging up a thread that's over a year old and then adding nothing relevant to the matter at hand whatsoever...

              It looks like your post has been copied and pasted from https://github.com/kubernetes/kubern...ment-395244580 for some inexplicable reason.
              GoDaddy are abusing WHC with shill advertising

              Comment

              Working...
              X