Weird routing problem?

Weird routing problem?

[Terry Hancock]

Hi,
I have set up a Debian Woody system as a dialup gateway
system using iptables. This mostly works, but for a fairly
large number of internet sites, I get hang-ups when trying
to access them from the client machines on my LAN. (Not sure
about the statistics, but it's enough that it could be, for
example, any site runnning IIS or some other lesser-used HTTP server).

For example, if I use a simple console web-browser like
w3m, I can access:

w3m http://www.poalo.com

from the console of my router, BUT the same command from
the console of a client machine on the LAN results in no
reply!  Further investigation by telnetting to port 80 on
that server shows me that I can send an HTTP "GET" command,
and get a response from the router console, but no response
comes on the client machine.

I first noticed this with just the one site above, so I
spoke to their support, and after much run-around, got the
answer that their logs didn't show anything unusual when I
accessed their site. So I'm assuming that a response was
sent, but my router dropped it for some reason.

Unfortunately, I have no idea why it would do that, and I
don't know what to do to troubleshoot.

Now, I have extremely simple iptables rules on the router:

% iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source            destination
DROP       all  --  anywhere          anywhere          state INVALID,NEW

Chain FORWARD (policy ACCEPT)
target     prot opt source            destination
DROP       all  --  anywhere          anywhere          state INVALID,NEW

Chain OUTPUT (policy ACCEPT)
target     prot opt source            destination
%

and even when the firewall rules are "wide-open" I still
see this problem.  The masquerading is setup via the following
script:

# Bring networks down and up to make sure connections are working
# correctly (the ethernet card doesn't register on startup for
# unknown reasons).
ifdown -a
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -F INPUT
iptables -F FORWARD
iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j DROP
ifup -a
echo 1 > /proc/sys/net/ipv4/ip_forward

# Dial-in to my local ISP
wvdial --chat Cleburne
#

which is virtually verbatum from the NAT HOWTO, IIRC.

Why would this system be dropping packets?
   Maybe the packets are malformed somehow?
   "Fragments"?

Why only from certain web servers?
   e.g.:
   http://www.tera-byte.com
   http://www.poalo.com
   http://www.paypal.com

How can I verify what is and is not being dropped?

Some details:

Gateway is a Debian Woody (=3.0) system with the Linux 2.4.18-bf2.4
stock kernel, running on a laptop with ethernet and modem installed
via PCMCIA cards.

On the dialup gateway:
% route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
thing.spyderinc *               255.255.255.255 UH    0      0        0 ppp0
192.168.71.0    *               255.255.255.0   U     0      0        0 eth0
default         thing.spyderinc 0.0.0.0         UG    0      0        0 ppp0
%

On the client machine on the LAN:
samwise:/# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
localnet        *               255.255.255.0   U     0      0        0 eth0
default         deagol          0.0.0.0         UG    0      0        0 eth0
samwise:/#

Like I said, it's a relatively small number of sites that tickle
this bug, but some of them are sites I very much need to be able
to use.  These sites worked fine from the same client machine
when I was connected via a firewall appliance to a fixed-IP
DSL service and I've tested the same sites with w3m on both
the client machine and the gateway console. So, I'm pretty
confident it's not a browser problem.

Any advice on how to proceed would be greatly appreciated, thanks!
Terry

--
Terry Hancock ( hancock at anansispaceworks.com )
Anansi Spaceworks  http://www.anansispaceworks.com

Re: Weird routing problem?

[Robert Schimansky]

hello,

when using an ethernet-dsl-modem - and maybe with some other devices too - 
you have to set the MTU of your NAT-ed computers. see 
http://www.annoyances.org/exec/show/article04-107

I would appreciate if somebody could tell how I could solve this on the 
router insteasd of reconfiguring the "clients"

greetings
Robert

> Hi,
> I have set up a Debian Woody system as a dialup gateway
> system using iptables. This mostly works, but for a fairly
> large number of internet sites, I get hang-ups when trying
> to access them from the client machines on my LAN. (Not sure
> about the statistics, but it's enough that it could be, for
> example, any site runnning IIS or some other lesser-used HTTP server).
>
> For example, if I use a simple console web-browser like
> w3m, I can access:
>
> w3m http://www.poalo.com
>
> from the console of my router, BUT the same command from
> the console of a client machine on the LAN results in no
> reply! 

Re: Weird routing problem?

[Jason Opperisano]

On Wed, 2004-12-01 at 08:30, Robert Schimansky wrote:
> hello,
> 
> when using an ethernet-dsl-modem - and maybe with some other devices too - 
> you have to set the MTU of your NAT-ed computers. see 
> http://www.annoyances.org/exec/show/article04-107
> 
> I would appreciate if somebody could tell how I could solve this on the 
> router insteasd of reconfiguring the "clients"

search the list archives--i *think* that question came up once before.

...or type 'man iptables' as the exact command needed is in there.

...or read my last post.

-j

--
"No jury in the world is going to convict a baby ... Maybe Texas."
	--The Simpsons

Re: Weird routing problem?

[Jason Opperisano]

On Wed, 2004-12-01 at 05:18, Terry Hancock wrote:
<snip>
>    "Fragments"?

bingo.

> Why only from certain web servers?
>    e.g.:
>    http://www.tera-byte.com
>    http://www.poalo.com
>    http://www.paypal.com

because the reply packets form those sites break the "need-to-frag"
threshold.

> How can I verify what is and is not being dropped?

tcpdump on your firewall's external interface for ICMP Type 3 Code 4
packets.

> Some details:

<snip>

one detail that would've been nice would be the output of "ip link show"
so that we could see the MTU of ppp0...

generically--try this:

  iptables -I FORWARD -p tcp --tcp-flags --syn \
    -j TCPMSS --clamp-mss-to-pmtu

if that doesn't help:

$MYMSS="$MTU_OF_PPP0 - 40"

  iptables -I FORWARD -p tcp --tcp-flags --syn \
    -j TCPMSS --set-mss $MYMSS

-j

--
"Me lose brain? Uh, oh! Ha ha ha! Why I laugh?"
	--The Simpsons