bit151's questions -server

bit151

Asked: 2021-02-06 13:09:14 +0800 CST

Apache keeps TCP Connection in CLOSE-WAIT state for 600 Seconds

My setup consists of two apache servers like in this diagram:

|Apache | >==Reverse Proxy Connection====> |Apache |
|Server1| <==Response through conntrack==< |Server2|

After a successful HTTP connection from Server 1 to Server 2, the latter sends a TCP [FIN,ACK] packet.

This packet is properly acknowledged by Server 1 with a TCP [ACK] packet. The connection is now in the CLOSE-WAIT state.

Then, almost 600 Seconds later, Server 1 sends TCP [FIN,ACK] to Server 2, which responds with TCP [RST].

This packet is marked by conntack as 'invalid' and never makes it to Server 1 (due to an iptables rule), resulting in Server 1 retransmitting the TCP [FIN,ACK] packet more than 20 times. This is because nf_conntrack has a timeout of 60 seconds for a TCP connection in the CLOSE-WAIT state.

Packet Capture

Why does Apache keep the TCP connection in the close-wait state for that long and why does the counterpart respond with RST?

bit151

Asked: 2018-10-17 06:40:59 +0800 CST

VPN Router does not reply to ARP Requests

So i have these three network interfaces setup on a linux box:

eth0 is facing the external network (192.168.1.0/24)
tun0 is the vpn interface (10.8.8.0/24)
eth1 is the local network interface (192.168.0.0/24)

The goal is to create a VPN Router, which routes only the packets from eth1 interface.

In order to do that I have a script that is run after the VPN connection has been established:

Allow rest of system to use default network connection
/sbin/ip route delete 0.0.0.0/1 via 10.8.8.1 dev tun0
/sbin/ip route delete 128.0.0.0/1 via 10.8.8.1 dev tun0

Route all traffic from 192.168.0.0/24 through VPN
/sbin/ip route add default via 10.8.8.1 dev tun0 table 200
/sbin/ip rule add from 192.168.0.0/24 table 200

VPN Forwarding (NAT)
/sbin/iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
/sbin/iptables -A FORWARD -i tun0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o tun0 -j ACCEPT

The problem is that, when the VPN tunnel is established, the linux box does not reply to ARP requests on eth1 interface.
If i configure the ARP cache manually on a client PC, then the setup works fine.

Any ideas?

EDIT : ARP works only when router makes a request to client PC but not the other way around (in that case router receives ARP but does not reply)
EDIT 2 : Both eth0 and eth1 share the same MAC-Address

Apache keeps TCP Connection in CLOSE-WAIT state for 600 Seconds

VPN Router does not reply to ARP Requests

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?