From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: netfilter@lists.netfilter.org
Subject: Re: help about NAT and ISP - without attachments
Date: Wed, 31 Aug 2005 15:54:52 -0500 [thread overview]
Message-ID: <4316191C.5060705@riverviewtech.net> (raw)
In-Reply-To: <007f01c5ae22$3e9a2e20$0300a8c0@giacomino>
Try adding a rule to your FORWARD chain to make sure that the TCP MSS value is not the problem. I know that you said you are not changing the value, but give this a try to see if it fixes your problem.
iptables -t filter -A FORWARD -j TCPMSS --clamp-mss-to-pmtu
I don't think that the missing packets is the culprit of your problem as this is the very nature of TCP (retransmission of unacknowledged packets).
Grant. . . .
Giacomo wrote:
> Good morning, I'm Giacomo Strangolino from Italy.
>
> I finished developing an ipv4 packet filter with NAT/MASQUERADING and
> have been
> testing it
> for some time with success connecting from home to my ISP named "libero".
>
> Then i changed ISP to another one, called "telecom" and with great surprise
> i discovered that
> images from sites and also sites failed to load.
>
> So now, when i call an ISP all works fine, when i call the other, things go
> wrong.
>
> I NAT machines behind my firewall changing only ips and ports, and
> recalculating checksum (ip and tcp/udp)
> to adjust such changes.
> I do not touch any other field as window size or seq number or ack, since
> the only things i manipulate are
> addresses and ports.
>
> I was wondering what i could do to solve, since iptables and ipfw+natd on
> freeBSD or winXP sp2 work fine
> with this ISP...
>
> Tweaking with ethereal i found that probably sometimes a tcp segment gets
> lost.
>
> My firewall is a 2.6.12 kernel module which registers with netfilter hooks.
> A userspace program sends rules to
> kernel via netlink.
>
> I thank you if you could help me find the way to fix the problem or
> understand what could be wrong with an
> ISP network and anyway work fine with the other.
>
> Also any indication of where in iptables source is solved such problem
> would be appreciated.
>
> I attach a corrupted image and the ethereal capture related to it if it
> could be useful-
>
> Thanks a lot in advance.
>
> Giacomo S. Udine, Italy
>
>
prev parent reply other threads:[~2005-08-31 20:54 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-08-31 11:50 help about NAT and ISP - without attachments Giacomo
2005-08-31 20:54 ` Taylor, Grant [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4316191C.5060705@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.