debian kvm server with iptables is dropping bridge packets

Question

For the past month I cant solve this, I make different iptables rules, enabled and disabled modules on kernel but having the same results and even more packets have dropped by iptables. This make on users having a 3/5 seconds on delay when trying access to different shared folders from 192.168.1.0/24 to 192.168.3.0/28 on the virtual machine.

I see this on logs:

 Feb 14 13:53:02 ns129115 kernel: [12426815.202643] IPTables-OUTPUT-Dropped: IN= OUT=br0 SRC=192.168.1.115 DST=192.168.1.231 LEN=104 TOS=0x10 PREC=0x00 TTL=64 ID=61932 DF PROTO=TCP SPT=22115 DPT=49225 WINDOW=384 RES=0x00 ACK PSH URGP=0 Feb 14 13:53:02 ns129115 kernel: [12426815.393379] IPTables-OUTPUT-Dropped: IN= OUT=br0 SRC=192.168.1.115 DST=192.168.1.231 LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=61933 DF PROTO=TCP SPT=22115 DPT=49225 WINDOW=384 RES=0x00 ACK URGP=0 Feb 14 13:53:02 ns129115 kernel: [12426815.834944] IPTables-OUTPUT-Dropped: IN= OUT=br0 SRC=192.168.1.115 DST=192.168.1.231 LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=61934 DF PROTO=TCP SPT=22115 DPT=49225 WINDOW=384 RES=0x00 ACK URGP=0 Feb 14 13:53:02 ns129115 kernel: [12426815.835219] IPTables-OUTPUT-Dropped: IN= OUT=br0 SRC=192.168.1.115 DST=192.168.1.231 LEN=136 TOS=0x10 PREC=0x00 TTL=64 ID=61935 DF PROTO=TCP SPT=22115 DPT=49225 WINDOW=384 RES=0x00 ACK PSH URGP=0 Feb 14 13:53:19 ns129115 kernel: [12426832.829664] IPTables-FWD-Dropped: IN=br0 OUT=br0 PHYSIN=vnet0 PHYSOUT=eth2 MAC=70:85:c2:4f:14:c1:00:16:3e:ea:18:01:08:00 SRC=192.168.1.156 DST=192.168.1.125 LEN=319 TOS=0x00 PREC=0x00 TTL=128 ID=16660 DF PROTO=TCP SPT=49169 DPT=54820 WINDOW=256 RES=0x00 ACK PSH URGP=0 Feb 14 13:53:39 ns129115 kernel: [12426852.496117] IPTables-OUTPUT-Dropped: IN= OUT=br0 SRC=192.168.1.115 DST=192.168.1.231 LEN=104 TOS=0x10 PREC=0x00 TTL=64 ID=29023 DF PROTO=TCP SPT=22115 DPT=52214 WINDOW=263 RES=0x00 ACK PSH URGP=0 Feb 14 13:53:49 ns129115 kernel: [12426862.856776] IPTables-FWD-Dropped: IN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=vnet0 MAC=00:16:3e:ea:18:01:90:2b:34:b0:20:a4:08:00 SRC=192.168.1.237 DST=192.168.1.156 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=1644 DF PROTO=TCP SPT=49244 DPT=49169 WINDOW=1879 RES=0x00 ACK URGP=0 Feb 14 13:53:50 ns129115 kernel: [12426863.288983] IPTables-OUTPUT-Dropped: IN= OUT=br0 SRC=192.168.1.115 DST=192.168.1.231 LEN=104 TOS=0x10 PREC=0x00 TTL=64 ID=29069 DF PROTO=TCP SPT=22115 DPT=52214 WINDOW=263 RES=0x00 ACK PSH URGP=0 Feb 14 13:54:19 ns129115 kernel: [12426892.906806] IPTables-FWD-Dropped: IN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=vnet0 MAC=00:16:3e:ea:18:01:74:d4:35:6a:18:7a:08:00 SRC=192.168.1.199 DST=192.168.1.156 LEN=248 TOS=0x00 PREC=0x00 TTL=128 ID=13244 DF PROTO=TCP SPT=49678 DPT=49169 WINDOW=256 RES=0x00 ACK PSH URGP=0 Feb 14 13:54:42 ns129115 kernel: [12426915.939242] IPTables-OUTPUT-Dropped: IN= OUT=br0 SRC=192.168.1.115 DST=192.168.1.231 LEN=136 TOS=0x10 PREC=0x00 TTL=64 ID=61969 DF PROTO=TCP SPT=22115 DPT=49225 WINDOW=384 RES=0x00 ACK PSH URGP=0 

The Debian Server with iptables and 2 bridges

• BR0, is the bridge with Internet access to the gateway 192.168.1.1 and all users are on this network
• VIRBR10, the 2nd bridge, vm1 has been connected to this bridge with ip 192.168.3.12 (192.168.3.0/28) and have nat with iptables to the outside passing through br0

Here »» The network graph with gateway and hypervizor

Here is my route table

~ route list

Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 192.168.1.1 0.0.0.0 UG 0 0 0 br0 192.168.1.0 * 255.255.255.0 U 0 0 0 br0 192.168.3.0 * 255.255.255.240 U 0 0 0 virbr10

~ brctl show

bridge name bridge id STP enabled interfaces br0 8000.0cc47ac18d3c yes eth2 virbr10 8000.525400c4b847 yes virbr10-dummy vnet2 

~ iptables rules

 #!/bin/sh #Flushing all rules iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -t nat -F iptables -t mangle -F iptables -F iptables -X # Allow basic INPUT traffic. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT iptables -A INPUT -p icmp -m conntrack --ctstate NEW -j ACCEPT # #MTU iptables -t mangle -A FORWARD -o virbr1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1460 iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu #SMB #Port: netbios - 445/tcp #Port: netbios-ns – 137/udp -- NETBIOS Name Service #Port: netbios-dgm – 138/udp -- NETBIOS Datagram Service #Port: netbios-ssn – 139/tcp -- NETBIOS session service iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 445 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 137:138 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT #iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --sport 137 -j ACCEPT #iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --sport 138 -j ACCEPT #iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --sport 139 -j ACCEPT #RDP #Port: 3389 # connections from outside iptables -I FORWARD -o virbr10 -d 192.168.3.12 -j ACCEPT iptables -t nat -I PREROUTING -p tcp --dport 3589 -j DNAT --to 192.168.3.12:3389 # Masquerade local subnet iptables -I FORWARD -o virbr10 -d 192.168.3.0/28 -j ACCEPT iptables -t nat -A POSTROUTING -s 192.168.3.0/28 -j MASQUERADE iptables -A FORWARD -o virbr10 -m state --state RELATED,ESTABLISHED -j ACCEPT #Permite conexiones salientes de virbr10 hacia la red 192.168.1.0/24 iptables -A FORWARD -i virbr10 -o br0 -j ACCEPT iptables -A FORWARD -o virbr10 -i br0 -j ACCEPT iptables -A FORWARD -i virbr10 -o lo -j ACCEPT ### #KVM routed guest # DHCP packets sent to VMs have no checksum (due to a longstanding bug). iptables -t mangle -A POSTROUTING -o virbr10 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fil # Do not masquerade to these reserved address blocks. iptables -t nat -A POSTROUTING -s 192.168.3.0/28 -d 224.0.0.0/24 -j RETURN iptables -t nat -A POSTROUTING -s 192.168.3.0/28 -d 255.255.255.255/32 -j RETURN # Masquerade all packets going from VMs to the LAN/Internet. iptables -t nat -A POSTROUTING -s 192.168.3.0/28 ! -d 192.168.3.0/28 -p tcp -j MASQUERADE --to-ports 1024-65535 iptables -t nat -A POSTROUTING -s 192.168.3.0/28 ! -d 192.168.3.0/28 -p udp -j MASQUERADE --to-ports 1024-65535 iptables -t nat -A POSTROUTING -s 192.168.3.0/28 ! -d 192.168.3.0/28 -j MASQUERADE # Accept SSH connections. iptables -A INPUT -p tcp -m tcp --syn -m conntrack --ctstate NEW --dport 22 -j ACCEPT # Accept Radmin iptables -A INPUT -p tcp -m tcp --syn -m conntrack --ctstate NEW --dport 4899 -j ACCEPT # Allow inbound traffic to the private subnet. iptables -A FORWARD -d 192.168.3.0/28 -o virbr10 -m state --state ESTABLISHED,RELATED -j ACCEPT #7218-12_07 Slow desk access iptables -A FORWARD -d 192.168.1.0/24 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT #7218-12_07 Slow desk access iptables -A FORWARD -d 192.168.3.0/28 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow outbound traffic from the private subnet. iptables -A FORWARD -s 192.168.3.0/28 -i virbr10 -m state --state ESTABLISHED,RELATED -j ACCEPT #7218-12_07 Slow desk access iptables -A FORWARD -s 192.168.1.0/24 -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT #7218-12_07 Slow desk access iptables -A FORWARD -s 192.168.3.0/28 -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow traffic between virtual machines. iptables -A FORWARD -i virbr10 -o virbr10 -j ACCEPT # Reject everything else. iptables -A FORWARD -i virbr10 -j REJECT --reject-with icmp-port-unreachable # Accept DNS (port 53) and DHCP (port 67) packets from VMs. iptables -A INPUT -i virbr10 -p udp -m udp -m multiport --dports 53,67 -j ACCEPT iptables -A INPUT -i virbr10 -p tcp -m tcp -m multiport --dports 53,67 -j ACCEPT #ICMP iptables -A OUTPUT -p icmp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Reject everything else. iptables -A INPUT -m conntrack --ctstate INVALID -j DROP iptables -A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable #Log packets droped iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-INPUT-Dropped: " --log-level 4 iptables -A FORWARD -m limit --limit 2/min -j LOG --log-prefix "IPTables-FWD-Dropped: " --log-level 4 iptables -A OUTPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-OUTPUT-Dropped: " --log-level 4 

Updates

1. Changed the logs chain to the end of the script and paste the new log entries

Answer 1

After searching on Google I can solve this.

1. The slow access to shared files with SMB on domain controller in Windows Server 2012 R2 is because the folder redirection GPO make changes on permissions in user profile folder during the redirection process when the folder not exist in destination. Based on iamrafic from Microsfot Technet (link), we need to change folder permissions to this:

Create the folder in the required location Disable inheritance of permissions from the parent and remove all inherited permissions by clicking the appropriate button. One entry will already be in the DACL: Local Administrators.

Alter Local Administrators: Full Control: This folder, subfolders and files

Add SYSTEM: Full Control: This folder, subfolder and files.

Add CREATOR OWNER: Full Control: This folder, subfolders and files.

Add Authenticated Users: List folder / read data, Create folders / append data: This folder only

Add Domain Admins: Full Control: This folder, subfolders and files.

Click OK.

2. The other problem was my iptables rules, I needed to perform a full new chains and fix the order for every FORWARD rule because this alter the performance when the packet is analized. Here the new ones.

 #!/bin/sh #Flushing all rules iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -t nat -F iptables -t mangle -F iptables -F iptables -X iptables -t raw -F # Basic tables iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT # iptables -A FORWARD -o virbr32 -s 192.168.1.0/24 -d 192.168.100.0/28 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i virbr32 -s 192.168.100.0/28 -d 192.168.1.0/24 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -o virbr32 -i br0 -j ACCEPT iptables -A FORWARD -i virbr32 -s 192.168.100.0/2 -j ACCEPT iptables -A FORWARD -i virbr32 -o virbr32 -j ACCEPT iptables -A FORWARD -i virbr32 -j LOG --log-prefix "iptables-FORWARD-REJECT: " iptables -A FORWARD -i virbr32 -j REJECT --reject-with icmp-port-unreachable # Masquerade local subnet iptables -t nat -A POSTROUTING -s 192.168.100.0/28 -j MASQUERADE # Do not masquerade to these reserved address blocks. iptables -t nat -A POSTROUTING -s 192.168.100.0/28 -d 224.0.0.0/24 -j RETURN iptables -t nat -A POSTROUTING -s 192.168.100.0/28 -d 255.255.255.255/32 -j RETURN # SMB # RPC EPM TCP 135 # RPC over HTTPS TCP 593 # SMB (for named pipes) TCP 445 # Ephemeral Range, Dynamic * iptables -I FORWARD 6 -o virbr32 -i br0 -m conntrack --ctstate NEW -p tcp -d 192.168.100.12 --dport 445 -j ACCEPT iptables -I FORWARD 7 -o virbr32 -i br0 -m conntrack --ctstate NEW -p tcp -d 192.168.100.12 --dport 139 -j ACCEPT # Accept DNS (port 53) and DHCP (port 67) packets from VMs. iptables -I FORWARD 8 -o virbr32 -i br0 -m conntrack --ctstate NEW -p tcp -m tcp -m multiport --dports 53,67 -j ACCEPT iptables -I FORWARD 9 -i virbr32 -o br0 -m conntrack --ctstate NEW -p udp -m udp -m multiport --dports 53,67 -j ACCEPT # # # The two rules below assure that only TCP packets get examined. All others # continue into the *filter table. iptables -t raw -N TCPFLAGS iptables -t raw -A PREROUTING -p tcp -j TCPFLAGS iptables -t raw -A PREROUTING -j ACCEPT # Quickly accept standard handshakes # ALLOW ACK or ACK/SYN #-A TCPFLAGS -j ACCEPT iptables -t raw -A TCPFLAGS -p tcp --tcp-flags FIN,ACK,URG,PSH,RST ACK -j ACCEPT # Allow ACK/FIN with either URG or PSH, or both, or neither # but SYN and RST can't be set iptables -t raw -A TCPFLAGS -p tcp --tcp-flags FIN,SYN,ACK,RST ACK,FIN -j ACCEPT # Allow SYN or ACK/SYN iptables -t raw -A TCPFLAGS -p tcp --tcp-flags FIN,SYN,URG,PSH,RST SYN -j ACCEPT # Allow RST or ACK/RST iptables -t raw -A TCPFLAGS -p tcp --tcp-flags FIN,SYN,URG,PSH,RST RST -j ACCEPT # This rule catches xmas-tree and fin attacks iptables -t raw -A TCPFLAGS -p tcp --tcp-flags FIN FIN -j DROP # This rule catches xmas-tree and syn/rst attacks iptables -t raw -A TCPFLAGS -p tcp --tcp-flags SYN SYN -j DROP # This rule catches null attacks iptables -t raw -A TCPFLAGS -p tcp --tcp-flags ALL NONE -j DROP #-A TCPFLAGS -p tcp -ecn-tcp-cwr -j DROP # these rules catch bad ack combinations #-A TCPFLAGS -p tcp --tcp-flags ACK ACK -j ACC #iptables -t raw -A TCPFLAGS -j ACCEPT # So, what do we accept for tcp? # handshakes (ACK/FIN), (ACK/SYN), (SYN), (ACK), (RST), (ACK/RST), # and data packets with PSH or URG or FIN or ACK # #Log packets droped iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-INPUT-Dropped: " --log-level 4 iptables -A FORWARD -m limit --limit 2/min -j LOG --log-prefix "IPTables-FWD-Dropped: " --log-level 4 iptables -A OUTPUT -m limit --limit 2/min -j LOG --log-prefix "IPTables-OUTPUT-Dropped: " --log-level 4 

• As you can see, I used iptables -I FORWARD instead of iptables -A FORWARD because with this can perform an ordered rules on my filter table putting first the more important rules and then goes more deeper after DROP or deny the rest. All FORWARD rules go before this line

 iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT 

Edit: I only need to make some changes to take more transfer rate when copy files from the vm to the outside in the lan 192.168.1.0/24, I can't take more than 4Mb/s. Any advice will be apreciated!!