NAT help?

Alexander Dalloz ad+lists at uni-x.org
Mon Sep 19 12:47:02 UTC 2005 

Am Mo, den 19.09.2005 schrieb William John Murray um 11:15:

>  Thank you Alexander, 
>               I like your answer, because I also have MTU prolems with a
> tunnel...but it doesn't seem to work. I reduced the rules to:
> 
> iptables -F; iptables -t nat -F; iptables -t mangle -F
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> 
> and it didn't help.
> 
>   I realised my previous ack, syn etc were to do with using the wrong
> sitename first. If I enter http://linuxtoday.com/ then almost nothing
> happens inside the NAT domain. I am not sure what packets to look for.
> The router itself does DNS lookup of the site first; maybe I really have
> a DNS problem, because I don't see that from inside? Or maybe it is just
> cached by NetworkManager ... I don't really know where to look.
>            Bill

If you think the problem is at least partly DNS related, then test
following:

$ host linuxtoday.com
linuxtoday.com has address 63.236.73.20

Does the "host" command work both on the NAT gateway as well on NATed
clients? If yes, then DNS is working properly. If not (gateway works,
client not), then check the network settings on the client side. The
client has to know about DNS servers. That may be either those of your
ISP or if you run an own one on your NAT gateway (caching-nameserver for
example) it can be that one. Do a cross check by entering

http://63.236.73.20/

in your borwser. You will have to see the linuxtoday.com page. If not,
then the problem is somewhere else. You said you have MTU problems? If
you are aDSL connected that is a more or less common problem. If unsure
about the correct MTU size please ask your ISP. And running a NAT
gateway it makes it necessary to lower the MSS. iptables has commands
for that: keyword is "mss clamping":

http://iptables-tutorial.frozentux.net/chunkyhtml/x4700.html

On the other hand you can alternatively instruct the rp-pppoe to do
that.

CLAMPMSS=1452

in ifcfg-ppp0 will cause rp-pppoe to set the MSS to 1452. This is 40
bytes less than the MTU (max. PPPoE MTU size is 1492 - some ISPs run a
setup which requires a smaller value of MTU and MSS). If the other side
(target websites i.e.) have a nasty setup which prevents full PMTU
detection, then a wrong setup on your side can cause what you face. Many
pages are accessible, others not. Hope that helps a bit.

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp 
Serendipity 14:33:00 up 19:43, 18 users, 0.04, 0.73, 1.46 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20050919/9cbe5576/attachment-0002.bin

More information about the users mailing list