NAT help?

William John Murray W.J.Murray at rl.ac.uk
Mon Sep 19 09:15:41 UTC 2005 

> Am So, den 18.09.2005 schrieb Murray, WJ (Bill) um 23:32:
> 
> >   Hello list,
> >             I have a small problem with my home network - maybe someone
> > could help?
> >    I have a firewall/router doing NAT, which works for machines behind
> > it 99% of the time, but some websites are inaccessible.
> > 
> >   e.g. Linuxtoday.com
> > 
> >  If I look at the ethereal logs for all interfaces on the router box,
> > and run firefox on the firewall machine itself I see an [ACK] packet
> > from port 33439 followed by a [SYN] from 33440. And then the rest
> > happens. Doing the same thing on a machine inside I see that the
> >  the TCP packet [ACK] first going in, as from [my-local-address] to
> > [linxutoday.com] and then out as [my-global-address] to
> > [linuxtoday.com], both from port 35598 but no [SYN] packet is sent.  
> > It just hangs at that point.
> > 
> >    It wouldn't be too bad, but many financial WWW sites hang here.
> > konqueror hangs too, so it seems to be NAT related. My rules are simple:
> > 
> > iptables -F; iptables -t nat -F; iptables -t mangle -F
> > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
> > iptables -P INPUT DROP   #only if the first two are succesful
> > iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT
> > 
> > Plus 1 or two specific ports accepted.
> > 
> >   Can anyone see an obvious problem?
> >       Thank you,
> >               Bill
> 
> Analyzing from your above iptables rules you are very certainly shooting
> in your own feet. Why? Because you block ICMP. Then remote sites i.e.
> blocking ICMP their own - like linuxtoday.com - can be unreachable as
> both systems can not communicate about the correct MTU for instance
> (PMTU broken). So allow ICMP traffic on your ppp0 device - and I bet
> your problem is gone.
> 
> Alexander
> 
> 
 Thank you Alexander, 
              I like your answer, because I also have MTU prolems with a
tunnel...but it doesn't seem to work. I reduced the rules to:

iptables -F; iptables -t nat -F; iptables -t mangle -F
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

and it didn't help.

  I realised my previous ack, syn etc were to do with using the wrong
sitename first. If I enter http://linuxtoday.com/ then almost nothing
happens inside the NAT domain. I am not sure what packets to look for.
The router itself does DNS lookup of the site first; maybe I really have
a DNS problem, because I don't see that from inside? Or maybe it is just
cached by NetworkManager ... I don't really know where to look.
           Bill

More information about the users mailing list