Re: Strange problem with iptables IP Masq

Re: Strange problem with iptables IP Masq

[Cedric Blancher]

Le lun 16/09/2002 à 23:02, Lior Hammer a écrit :
> I'm using the IP Masq script from the IP masq howto from TLDP.
> The connection sharing is fine except for one thing:
> in some of the sites (for example: http://httpd.apache.org or DynDNS.org
> members area) my browser keep's searching and searching without any result
> (or other response) or it just print few lines and that's it.
> I thought it's a problem with my browser, so i tryed to get the page
> directly with telnet.
> i got the HTTP Headers, and the first lines, and that's it, it didn't
> disconnect or somthing, just waited.
> Everything is ok when i'm trying to get this page directrly with lynx from
> the computer that shares the conection.

Are you connected via ADSL line using PPPoE ?

If so, you have to lower TCP MSS for forwarded packets down to 1452 (MTU
1492) to avoid problems when PMTU discovery is broken. This can be done
directly on pppoed using -m switch :

	pppoe -I eth0 -T 80 -m 1452

Or this can be done using Netfilter mangle table :

	iptables -t mangle -A FORWARD -o ppp0 -p tcp --syn \
		-j TCPMSS --clamp-mss-to-pmtu

If not, forwarded hosts will export a 1460 TCP MSS (MTU 1500). Big
replies will be to big and lost.

-- 
Cédric Blancher
Consultant en sécurité des systèmes et réseaux  - Cartel Sécurité
Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: Strange problem with iptables IP Masq

[dizma]

I think that the problem should be in the DNS resolving not in the iptables
rules.

NN

----- Original Message -----
From: "Lior Hammer" <lior@typo.co.il>
To: <netfilter@lists.netfilter.org>
Sent: Tuesday, September 17, 2002 12:02 AM
Subject: Strange problem with iptables IP Masq


> Hello,
> I'm using the IP Masq script from the IP masq howto from TLDP.
> The connection sharing is fine except for one thing:
> in some of the sites (for example: http://httpd.apache.org or DynDNS.org
> members area) my browser keep's searching and searching without any result
> (or other response) or it just print few lines and that's it.
> I thought it's a problem with my browser, so i tryed to get the page
> directly with telnet.
> i got the HTTP Headers, and the first lines, and that's it, it didn't
> disconnect or somthing, just waited.
> Everything is ok when i'm trying to get this page directrly with lynx from
> the computer that shares the conection.
>
> Thank you very much for your help,
> Lior.
>
>

Strange problem with iptables IP Masq

[Lior Hammer]

Hello,
I'm using the IP Masq script from the IP masq howto from TLDP.
The connection sharing is fine except for one thing:
in some of the sites (for example: http://httpd.apache.org or DynDNS.org
members area) my browser keep's searching and searching without any result
(or other response) or it just print few lines and that's it.
I thought it's a problem with my browser, so i tryed to get the page
directly with telnet.
i got the HTTP Headers, and the first lines, and that's it, it didn't
disconnect or somthing, just waited.
Everything is ok when i'm trying to get this page directrly with lynx from
the computer that shares the conection.

Thank you very much for your help,
Lior.

Re: Strange problem with iptables IP Masq

[Lior Hammer]

Thank you very much, it's working!
I have a PPTP ADSL connection, but it's working now!
Thank you,
Lior.
----- Original Message -----
From: "Cedric Blancher" <blancher@cartel-securite.fr>
To: "Lior Hammer" <lior@typo.co.il>
Cc: <netfilter@lists.netfilter.org>
Sent: Monday, September 16, 2002 4:23 AM
Subject: Re: Strange problem with iptables IP Masq


> Le lun 16/09/2002 à 23:02, Lior Hammer a écrit :
> > I'm using the IP Masq script from the IP masq howto from TLDP.
> > The connection sharing is fine except for one thing:
> > in some of the sites (for example: http://httpd.apache.org or DynDNS.org
> > members area) my browser keep's searching and searching without any
result
> > (or other response) or it just print few lines and that's it.
> > I thought it's a problem with my browser, so i tryed to get the page
> > directly with telnet.
> > i got the HTTP Headers, and the first lines, and that's it, it didn't
> > disconnect or somthing, just waited.
> > Everything is ok when i'm trying to get this page directrly with lynx
from
> > the computer that shares the conection.
>
> Are you connected via ADSL line using PPPoE ?
>
> If so, you have to lower TCP MSS for forwarded packets down to 1452 (MTU
> 1492) to avoid problems when PMTU discovery is broken. This can be done
> directly on pppoed using -m switch :
>
> pppoe -I eth0 -T 80 -m 1452
>
> Or this can be done using Netfilter mangle table :
>
> iptables -t mangle -A FORWARD -o ppp0 -p tcp --syn \
> -j TCPMSS --clamp-mss-to-pmtu
>
> If not, forwarded hosts will export a 1460 TCP MSS (MTU 1500). Big
> replies will be to big and lost.
>
> --
> Cédric Blancher
> Consultant en sécurité des systèmes et réseaux  - Cartel Sécurité
> Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
> PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
>

Re: Strange problem with iptables IP Masq

[Lior Hammer]

Thank you very much, it's working!
I have a PPTP ADSL connection, but it's working now!
Thank you,
Lior.
----- Original Message -----
From: "Cedric Blancher" <blancher@cartel-securite.fr>
To: "Lior Hammer" <lior@typo.co.il>
Cc: <netfilter@lists.netfilter.org>
Sent: Monday, September 16, 2002 4:23 AM
Subject: Re: Strange problem with iptables IP Masq


> Le lun 16/09/2002 à 23:02, Lior Hammer a écrit :
> > I'm using the IP Masq script from the IP masq howto from TLDP.
> > The connection sharing is fine except for one thing:
> > in some of the sites (for example: http://httpd.apache.org or DynDNS.org
> > members area) my browser keep's searching and searching without any
result
> > (or other response) or it just print few lines and that's it.
> > I thought it's a problem with my browser, so i tryed to get the page
> > directly with telnet.
> > i got the HTTP Headers, and the first lines, and that's it, it didn't
> > disconnect or somthing, just waited.
> > Everything is ok when i'm trying to get this page directrly with lynx
from
> > the computer that shares the conection.
>
> Are you connected via ADSL line using PPPoE ?
>
> If so, you have to lower TCP MSS for forwarded packets down to 1452 (MTU
> 1492) to avoid problems when PMTU discovery is broken. This can be done
> directly on pppoed using -m switch :
>
> pppoe -I eth0 -T 80 -m 1452
>
> Or this can be done using Netfilter mangle table :
>
> iptables -t mangle -A FORWARD -o ppp0 -p tcp --syn \
> -j TCPMSS --clamp-mss-to-pmtu
>
> If not, forwarded hosts will export a 1460 TCP MSS (MTU 1500). Big
> replies will be to big and lost.
>
> --
> Cédric Blancher
> Consultant en sécurité des systèmes et réseaux  - Cartel Sécurité
> Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
> PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
>