Masquerade stopped working?!?!

Masquerade stopped working?!?!

[dummy1]

I have a standard home network configuration:

my local network 10.1.1.0/24
            |
            |
    eth1 10.1.1.1
+----------------------+
|my firewall/router box|
+----------------------+
   eth0 192.168.1.92
            |
            |
      192.168.1.1
+----------------------+
|     foreign ISP      |
+----------------------+
            |
            |
         Internet

To connect coumputers from my local network to the internet I used 
iptables and masquerade (snat was working to). Everything was 
working fine since one day. Suddenly, about one week ago, machines 
from local network have stopped seeing Internet, but my box is 
working fine. I suspect my ISP doing some nasty dirty tricks. Is it 
possible that ISP can recognize packets which are coming from my 
local network and drops it? And how should I configure my box to go 
around this problem? Please help! I spend a couple of days browsing 
Internet and reading tons of documention and still know nothing.

I give you some more details what I have tested. Maybe it helps you 
to find out what the problem is.

As I said everything is working fine on my box. Local network is 
working fine too. From local machine I can see my box. Problem 
starts when I want anything from internet. Nothing was working: 
ping, http, dns... So I thought the problem is that local machine 
can't see machines from internet because host names are not 
resolved. I have installed bind (dns server) on my box. Then dns 
starts working. And pings are working to the foreing hosts, but 
nothing else. Browser finds host and no data is received, ssh can't 
connect, and so on. What is going on?
I have some firewall rules on my box. To be sure I removed them all 
but one:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Any suggestion? Who can help?

I know very well iptables and netfiltering. I create many firewalls 
with diffrent configurations. In this case I am fool.

Jakub

RE: Masquerade stopped working?!?!

[George Vieira]

Have you done any logging?
If your linux box can browse then the problem is the linux box.
check that ip forwarding is working and that there's is absolutely no
packets being dropped by mistake and that it's forwarding..

The only other thing possible is that the MTU could be too high and needs to
be lowered if the workstations are at 1500 and your linux is at 1400 or
there abouts.. try forcing all MTUs to a lower value.. (research it on
google).

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of dummy1@gazeta.pl
Sent: Sunday, August 03, 2003 6:41 PM
To: netfilter@lists.netfilter.org
Subject: Masquerade stopped working?!?!


I have a standard home network configuration:

my local network 10.1.1.0/24
            |
            |
    eth1 10.1.1.1
+----------------------+
|my firewall/router box|
+----------------------+
   eth0 192.168.1.92
            |
            |
      192.168.1.1
+----------------------+
|     foreign ISP      |
+----------------------+
            |
            |
         Internet

To connect coumputers from my local network to the internet I used
iptables and masquerade (snat was working to). Everything was
working fine since one day. Suddenly, about one week ago, machines
from local network have stopped seeing Internet, but my box is
working fine. I suspect my ISP doing some nasty dirty tricks. Is it
possible that ISP can recognize packets which are coming from my
local network and drops it? And how should I configure my box to go
around this problem? Please help! I spend a couple of days browsing
Internet and reading tons of documention and still know nothing.

I give you some more details what I have tested. Maybe it helps you
to find out what the problem is.

As I said everything is working fine on my box. Local network is
working fine too. From local machine I can see my box. Problem
starts when I want anything from internet. Nothing was working:
ping, http, dns... So I thought the problem is that local machine
can't see machines from internet because host names are not
resolved. I have installed bind (dns server) on my box. Then dns
starts working. And pings are working to the foreing hosts, but
nothing else. Browser finds host and no data is received, ssh can't
connect, and so on. What is going on?
I have some firewall rules on my box. To be sure I removed them all
but one:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Any suggestion? Who can help?

I know very well iptables and netfiltering. I create many firewalls
with diffrent configurations. In this case I am fool.

Jakub

Re: Masquerade stopped working?!?!

[dummy1]

> Have you done any logging?
> If your linux box can browse then the problem is the linux box.
> check that ip forwarding is working and that there's is absolutely 
no
> packets being dropped by mistake and that it's forwarding..
> 

I have done logging and everything seems to be ok. Packets are going 
out FORWARD chain. To be sure I remove all rules which can drop 
packets and every thing is ok. It looks like ISP is dropping 
packets.

> The only other thing possible is that the MTU could be too high 
and needs to
> be lowered if the workstations are at 1500 and your linux is at 
1400 or
> there abouts.. try forcing all MTUs to a lower value.. (research 
it on
> google).

I have tried diffrent values of MTUs (workstation, box): (1500,1500)
, (500,1500), (500,500), (300,500), (575,1500) and still nothing.

I have even used a TCPMSS target:
iptables -A FORWARD -p TCP --tcp-flags SYN,RST SYN -j TCPMSS 
--clamp-mss-to-pmtu
and still nothing. It looks like all tcp/udp communication from 
local machine to internet isn't working. Packets are going out linux 
box. I have done logging:
iptables -A FORWARD -o eth0 -j LOG
and the results are like this:
IN=eth1 OUT=eth0 SRC=10.1.1.14 DST=212.77.100.101 LEN=60 TOS=0x00 
PREC=0x00 TTL=63 ID=24078 DF PROTO=TCP SPT=32777 DPT=80 WINDOW=2144 
RES=0x00 SYN URGP=0
I have added logging incoming packets:
iptables -A INPUT -i eth0 -j LOG
and... silence. No packet are coming back.

> 
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of 
dummy1@gazeta.pl
> Sent: Sunday, August 03, 2003 6:41 PM
> To: netfilter@lists.netfilter.org
> Subject: Masquerade stopped working?!?!
> 
> 
> I have a standard home network configuration:
> 
> my local network 10.1.1.0/24
>             |
>             |
>     eth1 10.1.1.1
> +----------------------+
> |my firewall/router box|
> +----------------------+
>    eth0 192.168.1.92
>             |
>             |
>       192.168.1.1
> +----------------------+
> |     foreign ISP      |
> +----------------------+
>             |
>             |
>          Internet
> 
> To connect coumputers from my local network to the internet I used
> iptables and masquerade (snat was working to). Everything was
> working fine since one day. Suddenly, about one week ago, machines
> from local network have stopped seeing Internet, but my box is
> working fine. I suspect my ISP doing some nasty dirty tricks. Is 
it
> possible that ISP can recognize packets which are coming from my
> local network and drops it? And how should I configure my box to 
go
> around this problem? Please help! I spend a couple of days 
browsing
> Internet and reading tons of documention and still know nothing.
> 
> I give you some more details what I have tested. Maybe it helps 
you
> to find out what the problem is.
> 
> As I said everything is working fine on my box. Local network is
> working fine too. From local machine I can see my box. Problem
> starts when I want anything from internet. Nothing was working:
> ping, http, dns... So I thought the problem is that local machine
> can't see machines from internet because host names are not
> resolved. I have installed bind (dns server) on my box. Then dns
> starts working. And pings are working to the foreing hosts, but
> nothing else. Browser finds host and no data is received, ssh can
't
> connect, and so on. What is going on?
> I have some firewall rules on my box. To be sure I removed them 
all
> but one:
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> 
> Any suggestion? Who can help?
> 
> I know very well iptables and netfiltering. I create many 
firewalls
> with diffrent configurations. In this case I am fool.
> 
> Jakub
> 
> 
> 
> 
> 
> 
> 
> 

Re: Masquerade stopped working?!?!

[Chris Wilson]

Hi Jakub,

> > To connect coumputers from my local network to the internet I used
> > iptables and masquerade (snat was working to). Everything was working
> > fine since one day. Suddenly, about one week ago, machines from local
> > network have stopped seeing Internet, but my box is working fine. I
> > suspect my ISP doing some nasty dirty tricks. Is it possible that ISP
> > can recognize packets which are coming from my local network and drops
> > it? And how should I configure my box to go around this problem?
> > Please help! I spend a couple of days browsing Internet and reading
> > tons of documention and still know nothing.

It is possible that the ISP can recognise packets coming from machines in
your network, by looking at the TTL. As a router, your box should
decrement the TTL of packets which it forwards, and as a result the
packets which it forwards for the inside machines will have a different
TTL (one less) than if those boxes were directly connected.

Since Windows and Linux machines have well known "standard" TTLs, it's
possible to use this to block access from machines behind a router,
without blocking access for the router itself.

You can try using the TTL target of iptables to re-increment the TTL, so 
that it appears as though those boxes were directly connected, with such 
a rule:

  iptables -t mangle -A POSTROUTING -o <external-interface> \
	-j TTL --ttl-inc 1

But if you have Windows boxes on your network, they will still have a
different TTL to packets from your Linux box (I think), and once again the
ISP can be aware that more than one machine is in use. So it might be
better to use the TTL target to lock the TTL to some fixed value:

  iptables -t mangle -A POSTROUTING -o <external-interface> \
	-j TTL --ttl-set 64

where 64 appears to be the default for Linux boxes (at least with a 2.4 
kernel, as mine has).

There is also a possible innocent explanation, in that perhaps your ISP
has introduced a router with a lower TTL, which would require all packets
going through it to be fragmented. Windows and Linux do Path MTU Discovery
by default, which requires the receipt of ICMP fragmentation-needed
packets.

If these packets are not being forwarded to your inside machines for some
reason (e.g. a bug in iptables, or you are using an older version, or they
are blocked by your firewall rules), then you would be able to ping, but
full-sized packets from a web server page response or an FTP download
would not make it to your machine. You can test this by using tcpdump to 
determine whether ICMP fragmentation-needed packets are arriving on your 
external interface, and whether they are being correctly masqueraded by 
iptables and forwarded to the relevant machine on your internal interface.

Finally, and this is probably not the cause of your problem, but if your
ISP cares about people using NAT then you should be aware that they can
still use a technique devised by Steve Bellovin to monitor IP IDs and
determine (approximately) how many machines are active behind a NAT
router:

  [http://www.research.att.com/%7Esmb/papers/fnat.pdf]

This attack has already been implemented in at least one commercial 
product, sFlow [http://www.sflow.org/]. It is possible that your ISP is 
using this software to detect users who are running NAT. However, as far 
as I'm aware there is no simple way to use this attack to actually block 
the NATted hosts without blocking the router itself. It's more likely 
that your ISP would send you a nasty letter in this case.

Mr Bellovin proposes that IP IDs should be randomised by NAT gateways to
prevent this second attack, but as far as I know this cannot be done by 
iptables (yet) and no free software exists to make a Linux box do it.

Finally, Mr Bellovin points out that other techniques could be used to 
passively fingerprint the machines in your network, to determine the 
number of different OSes in use, if not the number of actual machines. I'm 
not aware of any technique to prevent this other than the enforced use of 
application-level proxies on the router/firewall box.

Cheers, Chris.
-- 
   ___ __     _
 / __// / ,__(_)_  | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |

Re: Masquerade stopped working?!?!

[Alistair Tonner]

On August 3, 2003 12:06 pm, dummy1@gazeta.pl wrote:
> > Have you done any logging?
> > If your linux box can browse then the problem is the linux box.
> > check that ip forwarding is working and that there's is absolutely
>
> no
>
> > packets being dropped by mistake and that it's forwarding..
>
> I have done logging and everything seems to be ok. Packets are going
> out FORWARD chain. To be sure I remove all rules which can drop
> packets and every thing is ok. It looks like ISP is dropping
> packets.
>
> > The only other thing possible is that the MTU could be too high
>
> and needs to
>
> > be lowered if the workstations are at 1500 and your linux is at
>
> 1400 or
>
> > there abouts.. try forcing all MTUs to a lower value.. (research
>
> it on
>
> > google).
>
> I have tried diffrent values of MTUs (workstation, box): (1500,1500)
> , (500,1500), (500,500), (300,500), (575,1500) and still nothing.
>
> I have even used a TCPMSS target:
> iptables -A FORWARD -p TCP --tcp-flags SYN,RST SYN -j TCPMSS
> --clamp-mss-to-pmtu
> and still nothing. It looks like all tcp/udp communication from
> local machine to internet isn't working. Packets are going out linux
> box. I have done logging:
> iptables -A FORWARD -o eth0 -j LOG
> and the results are like this:
> IN=eth1 OUT=eth0 SRC=10.1.1.14 DST=212.77.100.101 LEN=60 TOS=0x00
> PREC=0x00 TTL=63 ID=24078 DF PROTO=TCP SPT=32777 DPT=80 WINDOW=2144
> RES=0x00 SYN URGP=0
> I have added logging incoming packets:
> iptables -A INPUT -i eth0 -j LOG
> and... silence. No packet are coming back.

If the packets LEFT via the FORWARD chain, they should come BACK through the 
	FORWARD chain (if nat is working).  if you used -A to add the logging rule in 
the FORWARD chain
        it is the last rule in the chain.  
	try 
        iptables -I FORWARD 1 -o eth0 -j LOG --log-prefix Forward_out:
	iptables -I FORWARD 1 -i eth0 -j LOG --log-prefix Forward_in:

	(unnnnhhh someone doublecheck the syntax on that for me .. I'm half asleep)
	
	to catch packets in BOTH directions on the FORWARD chain.



>
> > -----Original Message-----
> > From: netfilter-admin@lists.netfilter.org
> > [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of
>
> dummy1@gazeta.pl
>
> > Sent: Sunday, August 03, 2003 6:41 PM
> > To: netfilter@lists.netfilter.org
> > Subject: Masquerade stopped working?!?!
> >
> >
> > I have a standard home network configuration:
> >
> > my local network 10.1.1.0/24
> >
> >
> >     eth1 10.1.1.1
> > +----------------------+
> >
> > |my firewall/router box|
> >
> > +----------------------+
> >    eth0 192.168.1.92
> >
> >
> >       192.168.1.1
> > +----------------------+
> >
> > |     foreign ISP      |
> >
> > +----------------------+
> >
> >
> >          Internet
> >
> > To connect coumputers from my local network to the internet I used
> > iptables and masquerade (snat was working to). Everything was
> > working fine since one day. Suddenly, about one week ago, machines
> > from local network have stopped seeing Internet, but my box is
> > working fine. I suspect my ISP doing some nasty dirty tricks. Is
>
> it
>
> > possible that ISP can recognize packets which are coming from my
> > local network and drops it? And how should I configure my box to
>
> go
>
> > around this problem? Please help! I spend a couple of days
>
> browsing
>
> > Internet and reading tons of documention and still know nothing.
> >
> > I give you some more details what I have tested. Maybe it helps
>
> you
>
> > to find out what the problem is.
> >
> > As I said everything is working fine on my box. Local network is
> > working fine too. From local machine I can see my box. Problem
> > starts when I want anything from internet. Nothing was working:
> > ping, http, dns... So I thought the problem is that local machine
> > can't see machines from internet because host names are not
> > resolved. I have installed bind (dns server) on my box. Then dns
> > starts working. And pings are working to the foreing hosts, but
> > nothing else. Browser finds host and no data is received, ssh can
>
> 't
>
> > connect, and so on. What is going on?
> > I have some firewall rules on my box. To be sure I removed them
>
> all
>
> > but one:
> > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> >
> > Any suggestion? Who can help?
> >
> > I know very well iptables and netfiltering. I create many
>
> firewalls
>
> > with diffrent configurations. In this case I am fool.
> >
> > Jakub

-- 

	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!

Re: Masquerade stopped working?!?!

[dummy1]

> > box. I have done logging:
> > iptables -A FORWARD -o eth0 -j LOG
> > and the results are like this:
> > IN=eth1 OUT=eth0 SRC=10.1.1.14 DST=212.77.100.101 LEN=60 
TOS=0x00
> > PREC=0x00 TTL=63 ID=24078 DF PROTO=TCP SPT=32777 DPT=80 
WINDOW=2144
> > RES=0x00 SYN URGP=0
> > I have added logging incoming packets:
> > iptables -A INPUT -i eth0 -j LOG
> > and... silence. No packet are coming back.
> 
> If the packets LEFT via the FORWARD chain, they should come BACK 
through the
>  FORWARD chain (if nat is working).  if you used -A to add the 
logging rule in
> the FORWARD chain
>         it is the last rule in the chain.
>  try
>         iptables -I FORWARD 1 -o eth0 -j LOG --log-prefix 
Forward_out:
>  iptables -I FORWARD 1 -i eth0 -j LOG --log-prefix Forward_in:
> 
>  (unnnnhhh someone doublecheck the syntax on that for me .. I'm 
half asleep)
> 
>  to catch packets in BOTH directions on the FORWARD chain.

You are right so I correct logging rules using your tips, but logs 
still say that packets are going in one direction:
Forward_out:IN=eth1 OUT=eth0 SRC=10.1.1.14 DST=212.126.20.69 LEN=48 
TOS=0x00 PREC=0x00 TTL=127 ID=4252 DF PROTO=TCP SPT=1116 DPT=80 
WINDOW=16384 RES=0x00 SYN URGP=0
and no logs with prefix Forward_in: :-(

forwarding based on hostname

[Ian McBeth]

Hello

I have an issue where I have forwarded the ports to an internal mail
server.  Based off ip it works but when you get the hostname in there it
seems to get lost.  No error is given just hangs and outlook says the
connection was interrupted.

Using cat /proc/net/ip_conntrack it does not even appear to be
connecting.

Any help would be great as I am kind of new at iptables NAT
configurations.

Thanx

Ian McBeth

p.s. I have not really looked to deeply into this but can you forward
based off hostnames to your internal network?

e.g.
mail.domainname.net --> NAT --> 192.168.0.x

Re: forwarding based on hostname

[Daniel Chemko]

I would not reccomend using domain names in the submission to iptables 
if it is supported or not. 1. Do a resolution of the domain every once 
and a while and resubmit the rule to iptables. If the firewall ever has 
any issues resolving domain names, then the rules requiring it would 
break,. It is generally a bad idea to have the packet firewall relying 
on any external service to perform its job. Remote access services need 
authenitcators but beyond that, limited liability DNS, and monitoring 
the firewall shouldn't be talking that much.


Ian McBeth wrote:

>Hello
>
>I have an issue where I have forwarded the ports to an internal mail
>server.  Based off ip it works but when you get the hostname in there it
>seems to get lost.  No error is given just hangs and outlook says the
>connection was interrupted.
>
>Using cat /proc/net/ip_conntrack it does not even appear to be
>connecting.
>
>Any help would be great as I am kind of new at iptables NAT
>configurations.
>
>Thanx
>
>Ian McBeth
>
>p.s. I have not really looked to deeply into this but can you forward
>based off hostnames to your internal network?
>
>e.g.
>mail.domainname.net --> NAT --> 192.168.0.x
>
>
>
>  
>

RE: forwarding based on hostname

[Ian McBeth]

Hey 

I am not using the domain name to connect to the mail server that is
hidden behind the Nat firewall box as I can not connect to it with the
domain name but I can connect to it via the IP address.  What am I doing
wrong?

Thanks



-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Daniel Chemko
Sent: Sunday, August 03, 2003 2:21 PM
To: Ian McBeth
Cc: netfilter@lists.netfilter.org
Subject: Re: forwarding based on hostname

I would not reccomend using domain names in the submission to iptables 
if it is supported or not. 1. Do a resolution of the domain every once 
and a while and resubmit the rule to iptables. If the firewall ever has 
any issues resolving domain names, then the rules requiring it would 
break,. It is generally a bad idea to have the packet firewall relying 
on any external service to perform its job. Remote access services need 
authenitcators but beyond that, limited liability DNS, and monitoring 
the firewall shouldn't be talking that much.


Ian McBeth wrote:

>Hello
>
>I have an issue where I have forwarded the ports to an internal mail
>server.  Based off ip it works but when you get the hostname in there
it
>seems to get lost.  No error is given just hangs and outlook says the
>connection was interrupted.
>
>Using cat /proc/net/ip_conntrack it does not even appear to be
>connecting.
>
>Any help would be great as I am kind of new at iptables NAT
>configurations.
>
>Thanx
>
>Ian McBeth
>
>p.s. I have not really looked to deeply into this but can you forward
>based off hostnames to your internal network?
>
>e.g.
>mail.domainname.net --> NAT --> 192.168.0.x
>
>
>
>  
>

Re: forwarding based on hostname

[Daniel Chemko]

[-- Attachment #1: Type: text/plain, Size: 1305 bytes --]

If you don't change the firewall rules between the two attempts, there 
are only a few things that can go wrong:

1. Does the hostname point to the server that the ip address does? Make 
sure with a packet sniffer.
2. If you are inside the network trying to connect to 192.168.0.x 
directly, it is different from connecting to it through the hostname 
address when you are inside the network. Generally for internal 
devicesm, you want to point them at an internal DNS server that manages 
all the 192.168.0.0/16 addresses. Then, have an external DNS managing 
what the world sees.

Iptables does not play nicely doing an interface loop like the following:

HSTA:IFA -> HSTB:IFA -> HSTB:IFB --|
                                   |
HSTC:IFA <- HSTB:IFA <- HSTB:IFB <-|

Ideally, it should look like one of the two following examples:

HSTA:IFA -> HSTB:IFA --|
                       |
HSTA:IFA <- HSTB:IFA <-|

OR

HSTA:IFA -> HSTC:IFA

The difference here is that the first example needs to loop through an 
external interface and then pass back in, but since its source is from 
itself, there is invariably problems doing the loopback. I am not sure 
if there is a quick-and-dirty fix to this problem. I haven't found one 
as of yet.

If this has nothing to do with your problem, then I must say *doh*


[-- Attachment #2: Type: text/html, Size: 2896 bytes --]

RE: forwarding based on hostname

[George Vieira]

Are you allowing DNS? Are you clients able to make DNS requests from behind the firewall?

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au
 

-----Original Message-----
From: Ian McBeth [mailto:imcbeth@telus.net]
Sent: Monday, August 04, 2003 6:44 AM
To: 'Daniel Chemko'
Cc: netfilter@lists.netfilter.org
Subject: RE: forwarding based on hostname


Hey 

I am not using the domain name to connect to the mail server that is
hidden behind the Nat firewall box as I can not connect to it with the
domain name but I can connect to it via the IP address.  What am I doing
wrong?

Thanks

Re: Masquerade stopped working?!?!

[dummy1]

> It is possible that the ISP can recognise packets coming from 
machines in
> your network, by looking at the TTL. As a router, your box should
> decrement the TTL of packets which it forwards, and as a result 
the
> packets which it forwards for the inside machines will have a 
different
> TTL (one less) than if those boxes were directly connected.
> 
> Since Windows and Linux machines have well known "standard" TTLs, 
it's
> possible to use this to block access from machines behind a 
router,
> without blocking access for the router itself.
> 
> You can try using the TTL target of iptables to re-increment the 
TTL, so
> that it appears as though those boxes were directly connected, 
with such
> a rule:
> 
>   iptables -t mangle -A POSTROUTING -o <external-interface> \
>  -j TTL --ttl-inc 1
> 
> But if you have Windows boxes on your network, they will still 
have a
> different TTL to packets from your Linux box (I think), and once 
again the
> ISP can be aware that more than one machine is in use. So it might 
be
> better to use the TTL target to lock the TTL to some fixed value:
> 
>   iptables -t mangle -A POSTROUTING -o <external-interface> \
>  -j TTL --ttl-set 64
> 
> where 64 appears to be the default for Linux boxes (at least with 
a 2.4
> kernel, as mine has).

That's the case. Command
iptables -t mangle -A POSTROUTING -o eth0 -j TTL --ttl-set 64
solved the problem.

After all I have done some tests and it seems that ISP is searching
for TCP/UDP packets for which TTL field differ from 64 or 128.
I have tested that my linux box TTL is 64 and on local machines
running Windows XP TTL is 128.

My ISP is a small company so they are not worth to mention who they 
are. I tried to find what OS is running on the ISP machine using 
nmap, but I found nothing. I want to know what kind of software they 
are running (if not just iptables). I will try to get some 
informations.

Thanks to everybody