> Am So, den 18.09.2005 schrieb Murray, WJ (Bill) um 23:32:
>
> > Hello list,
> > I have a small problem with my home network - maybe someone
> > could help?
> > I have a firewall/router doing NAT, which works for machines behind
> > it 99% of the time, but some websites are inaccessible.
> >
> > e.g. Linuxtoday.com
> >
> > If I look at the ethereal logs for all interfaces on the router box,
> > and run firefox on the firewall machine itself I see an [ACK] packet
> > from port 33439 followed by a [SYN] from 33440. And then the rest
> > happens. Doing the same thing on a machine inside I see that the
> > the TCP packet [ACK] first going in, as from [my-local-address] to
> > [linxutoday.com] and then out as [my-global-address] to
> > [linuxtoday.com], both from port 35598 but no [SYN] packet is sent.
> > It just hangs at that point.
> >
> > It wouldn't be too bad, but many financial WWW sites hang here.
> > konqueror hangs too, so it seems to be NAT related. My rules are simple:
> >
> > iptables -F; iptables -t nat -F; iptables -t mangle -F
> > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
> > iptables -P INPUT DROP #only if the first two are succesful
> > iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT
> >
> > Plus 1 or two specific ports accepted.
> >
> > Can anyone see an obvious problem?
> > Thank you,
> > Bill
>
> Analyzing from your above iptables rules you are very certainly shooting
> in your own feet. Why? Because you block ICMP. Then remote sites i.e.
> blocking ICMP their own - like linuxtoday.com - can be unreachable as
> both systems can not communicate about the correct MTU for instance
> (PMTU broken). So allow ICMP traffic on your ppp0 device - and I bet
> your problem is gone.
>
> Alexander
>
>
Thank you Alexander,
I like your answer, because I also have MTU prolems with a
tunnel...but it doesn't seem to work. I reduced the rules to:
iptables -F; iptables -t nat -F; iptables -t mangle -F
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
and it didn't help.
I realised my previous ack, syn etc were to do with using the wrong
sitename first. If I enter http://linuxtoday.com/ then almost nothing
happens inside the NAT domain. I am not sure what packets to look for.
The router itself does DNS lookup of the site first; maybe I really have
a DNS problem, because I don't see that from inside? Or maybe it is just
cached by NetworkManager ... I don't really know where to look.
Bill
