Re: weird iptables behaviour

On Fri, 24 Nov 2006 13:13:16 +1100, Grant wrote:

On 24 Nov 2006 00:48:55 GMT, Fabio <nsafve_DELETE_ME_@xxxxxx> wrote:

I've got a strange problem with IP Masquerade:
PC1 is connected to internet and PC2 uses PC1
as the gateway.
From PC2 i can ping and even traceroute any URL
(for example ping and traceroute www.wikipedia.org
works great) but i can open very few web pages.
I only can see there 3 sites:
www.mozilla.org www.beppegrillo.it www.google.com
but I can't open for example www.yahoo.com and much more.
More than that is I can use skype from PC2, so I absolutely
don't have a clue about what to do.

Would it be you're not clamping MTU? I have ('egress' is called from
FORWARD chain, MAX_MSS="1380" here):

# clamp MTU for new TCP connections to world
if [ -n "$MAX_MSS" ]
then
iptables -A egress -p tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --set-mss $MAX_MSS
else
iptables -A egress -p tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --clamp-mss-to-pmtu
fi

Grant.
Thak you for your help Grant,
I've created a new chain called "egress" with iptables -N egress, then
I've added the clamp part to my script and added
the optiont -v to iptables, and now i get:

root@darkstar:~# sh condivis
MASQUERADE all opt -- in * out ppp0 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all opt -- in * out * 192.168.1.0/24 -> 0.0.0.0/0
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
TCPMSS tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS set 1380
root@darkstar:~#

Anyway i get the same problem:
ping all, watch fews
I've tryied the bing the MTU values of the eth devices to 1380
and the valute of ppp0 (in /etc/ppp/options) to 1412
(1412 is suggested by pppoe-setup), but i didn't resolve
the problem, i really don't know what to do
thank you for your help
Fabio
.

Relevant Pages

  • weird iptables behaviour
    ... PC1 is connected to internet and PC2 uses PC1 ... # accept every packet that belongs to connections already ... UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 ...
    (comp.os.linux.networking)
  • Re: can ping from pc1 to pc2 but not vice versa
    ... multiboot suse linux & windows xp pro ... If I ping the pc1 from pc2 then it does not give an answer. ... connections, also my cisco. ...
    (microsoft.public.windowsxp.network_web)
  • question about pppd + routing problem on freebsd 5.3
    ... I issued these route commands to the PC1 ... On the PC2 side Im' using kernel ppp + mgetty and on the client kernel ppp. ... From the PC1 I can only ping to 192.168.1.21 with success and I cannot ...
    (comp.unix.bsd.freebsd.misc)
  • Re: weird iptables behaviour
    ... PC1 is connected to internet and PC2 uses PC1 ... Would it be you're not clamping MTU? ... # clamp MTU for new TCP connections to world ...
    (comp.os.linux.networking)
  • Re: Set up a home... network doesnt work
    ... I notice that although each PC can ping the other successfully using IP address they can't ping using computer name. ... PC1 can see the shared folders of PC2 and access them. ... Ethernet adapter Local Area Connection: ...
    (microsoft.public.windowsxp.network_web)