Masquerading problems (fix)

Masquerading problems (fix)

[David Gaston Rodriguez]

Sorry! i wrote bad. here is the correction:
Hi!, i am new in the list, i am from argentina, this is mi problem:
I have a small LAN with a server doing masquerading, I used the kernel 2.2.20 and
did not have any problem, now i decided to use the kernel 2.4.18, i set iptables 
to make the masquerading, but now there are web pages which i can NOT enter from 
workstations, like for example www.mixmail.com or www.yahoo.com, and from the server
i can enter to this pages. I using 2 interfaces, eth0: external, eth1: internal, the
external interface is connect to ADSL Modem (PPPoE).
Some idea on as could be mi problem?
Thanks!!

Re: Masquerading problems (fix)

[Antony Stone]

On Wednesday 03 July 2002 7:13 am, David Gaston Rodriguez wrote:

> Sorry! i wrote bad. here is the correction:
> Hi!, i am new in the list, i am from argentina, this is mi problem:
> I have a small LAN with a server doing masquerading, I used the kernel
> 2.2.20 and did not have any problem, now i decided to use the kernel
> 2.4.18, i set iptables to make the masquerading, but now there are web
> pages which i can NOT enter from workstations, like for example
> www.mixmail.com or www.yahoo.com, and from the server i can enter to this
> pages. I using 2 interfaces, eth0: external, eth1: internal, the external
> interface is connect to ADSL Modem (PPPoE).
> Some idea on as could be mi problem?
> Thanks!!

I have two suggestions for this problem:

1. Do you have a rule allowing ESTABLISHED and RELATED packets from the 
remote server back to the workstations (possibly some ICMP stuff such as 
fragmentation) ?

2. Check the MTU on your PPPoE and eth1 - I've heard about people using PPPoE 
having a problem with different MTUs on either side of the firewall - I think 
the solution was to clamp the larger one down to be the same value as the 
smaller one ?   Maybe someone else who who uses PPPoE or knows more about 
this problem can be more specific ?

Hope this helps,

 

Antony.

Re: Masquerading problems (fix)

[=?unknown-8bit?q?J=F6rgen?= Danielsson]

This is how i have it

### Allow masquerading for internal boxes ###
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

### Make sure mtu is never changed 
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j
TCPMSS --clamp-mss-to-pmtu


Had the same problem as you earlier, that fixed the
prob.

/Jörgen

--- David Gaston Rodriguez <davidgr@interlap.com.ar>
wrote:
> Sorry! i wrote bad. here is the correction:
> Hi!, i am new in the list, i am from argentina, this
> is mi problem:
> I have a small LAN with a server doing masquerading,
> I used the kernel 2.2.20 and
> did not have any problem, now i decided to use the
> kernel 2.4.18, i set iptables 
> to make the masquerading, but now there are web
> pages which i can NOT enter from 
> workstations, like for example www.mixmail.com or
> www.yahoo.com, and from the server
> i can enter to this pages. I using 2 interfaces,
> eth0: external, eth1: internal, the
> external interface is connect to ADSL Modem (PPPoE).
> Some idea on as could be mi problem?
> Thanks!!
> 
> 


__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com

Re: Masquerading problems (fix)

[David Gaston Rodriguez]

Thanks to all!! I already could solve the problem using the line:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu


-- 

---------------------------------
DAVID GASTÓN RODRIGUEZ
Linux Tucumán
Nick: [[D4V|D]]
---------------------------------
Email:  davidgr@interlap.com.ar
        david_80gr@hotmail.com
ICQ: 81492566
MSN Messenger: david_80gr
---------------------------------