Re: weird iptables behaviour
- From: Clifford Kite <kite@xxxxxxxxxxxxxxxx>
- Date: Sat, 25 Nov 2006 17:38:23 -0600
Fabio <nsafve_DELETE_ME_@xxxxxx> wrote:
Hello,
I've got a strange problem with IP Masquerade:
PC1 is connected to internet and PC2 uses PC1
as the gateway.
From PC2 i can ping and even traceroute any URL
(for example ping and traceroute www.wikipedia.org
works great) but i can open very few web pages.
I only can see there 3 sites:
www.mozilla.org www.beppegrillo.it www.google.com
but I can't open for example www.yahoo.com and much more.
More than that is I can use skype from PC2, so I absolutely
don't have a clue about what to do.
This is my network's diagram:
[INTERNET]<-->(eth0)[PC1](eth1)<--->(eth0)[PC2]
On PC1:
eth0: 192.168.0.1 (with a cable to the modem)
eth1: 192.168.1.1 (with a crossed cable to PC2)
On PC2:
eth0: 192.168.1.2 (with a crossed cable to PC1)
Try doing "ifconfig eth0 mtu 1492" on PC2.
iptables is configured via the following script:
-------- START SCRIPT -----------
An unusual script. I'd suggest instead,
---
#!/bin/bash
modprobe ip_tables
modprobe ipt_state
modprobe ip_conntrack
modprobe ip_conntrack_ftp ip_nat_ftp
modprobe iptable_nat
modprobe ipt_MASQUERADE
modprobe ipt_limit
modprobe ipt_LOG
#modprobe iptable_mangle
iptables -N no-conns-from-ppp0
iptables -A no-conns-from-ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A no-conns-from-ppp0 -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A no-conns-from-ppp0 -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
iptables -A no-conns-from-ppp0 -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
iptables -A no-conns-from-ppp0 -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A no-conns-from-ppp0 -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
#-j TCPMSS --clamp-mss-to-pmtu
iptables -A no-conns-from-ppp0 -i ppp0 -m limit -j LOG --log-prefix \
"Bad packet from ppp0:"
iptables -A no-conns-from-ppp0 -i ! ppp0 -m limit -j LOG --log-prefix \
"Bad packet not from ppp0:"
iptables -A no-conns-from-ppp0 -j DROP
iptables -A INPUT -j no-conns-from-ppp0
iptables -A FORWARD -j no-conns-from-ppp0
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
---
I've used the script but without mangle table PMTU clamping (commented
out) - so no guarantee on that. Most sites should be accessible with the
PC2 MTU set to 1492 and no clamping. And if you don't need/want pings
and ping-replies then the lines with icmp-type's 0 and 8 can be dropped.
The lines with other icmp-type's should remain as is. If LOGging becomes
annoying then just truncate the lines with -m limit in them starting at
-j LOG.
Just for the record, the core of this script was taken from one written
by Rusty Russell.
http://help.phys.unsw.edu.au/doc/HOW-TO/packet-filtering-HOWTO.txt
--
Clifford Kite
.
- References:
- weird iptables behaviour
- From: Fabio
- weird iptables behaviour
- Prev by Date: Re: Joining 192.168.1.* to 192.168.1.* with filtering for only MS SQL Server?
- Next by Date: Re: How to set default gw not by route command in linux?
- Previous by thread: Re: weird iptables behaviour
- Next by thread: Need some help in Routing in Linux
- Index(es):
Relevant Pages
|
