Please help with my bridge/router

Please help with my bridge/router

[Serge Matovic]

Hi to all. I'm a bit hesitant to bug you with this
basic problem of mine, and I just hope that I'm not
wasting your time.
OK, here is the situation. I have a Linux machine with
4 NICs. I have configured 3 of these NICs into a
bridge (br0), and the 4th NIC is connected to an ADSL
modem (ppp0), which, in turn, is connected to
Internet. This NIC is getting a DHCP address from my
ISP. I'm using the iptable script from dranch's
IP-MASQ-HOWTO. (and I tried many other ones, as well).

Now here is the problem: When I try to go Internet
from my Client computer (connected to one of the 3
NICs of this bridge/router) some sites (like
Google.ca) connect and work perfectly, ***BUT*** some
sites (like globaltv.com) do not load at all. But I
know that they work fine when I connect to them
without going thru my bridge/router.

Does anyone have a thought on why some sites work and
some don't?

Many thanks, and best regards,
serge.



 
____________________________________________________________________________________
Never miss an email again!
Yahoo! Toolbar alerts you the instant new Mail arrives.
http://tools.search.yahoo.com/toolbar/features/mail/

Routing to and from an IP on an interface

[Nathan]

Hi I have an issue where the internal interface wants to always talk from the 
primary ip address,  what kind of rule can I add to make the traffic comming 
from a specific source ip leave the router interface from a specific secondary 
ip address?

Thanks

- Brad Chang
- http://www.linuxcare.ca

Re: Routing to and from an IP on an interface

[Jan Engelhardt]

On Mar 12 2007 21:30, Nathan wrote:

>Date: Mon, 12 Mar 2007 21:30:31 -0700
>From: Nathan <lists@linuxcare.ca>
>To: netfilter@lists.netfilter.org
>Subject: Routing to and from an IP on an interface
>
>Hi I have an issue where the internal interface wants to always talk from the 
>primary ip address,  what kind of rule can I add to make the traffic comming 
>from a specific source ip leave the router interface from a specific secondary 
>ip address?

iptables -j SNAT ...


Jan
-- 

Re: Please help with my bridge/router

[Alexandru Dragoi]

Serge Matovic wrote:
> Hi to all. I'm a bit hesitant to bug you with this
> basic problem of mine, and I just hope that I'm not
> wasting your time.
> OK, here is the situation. I have a Linux machine with
> 4 NICs. I have configured 3 of these NICs into a
> bridge (br0), and the 4th NIC is connected to an ADSL
> modem (ppp0), which, in turn, is connected to
> Internet. This NIC is getting a DHCP address from my
> ISP. I'm using the iptable script from dranch's
> IP-MASQ-HOWTO. (and I tried many other ones, as well).
>
> Now here is the problem: When I try to go Internet
> from my Client computer (connected to one of the 3
> NICs of this bridge/router) some sites (like
> Google.ca) connect and work perfectly, ***BUT*** some
> sites (like globaltv.com) do not load at all. But I
> know that they work fine when I connect to them
> without going thru my bridge/router.
>
> Does anyone have a thought on why some sites work and
> some don't?
>
> Many thanks, and best regards,
> serge.
>
>
>
>  
> ____________________________________________________________________________________
> Never miss an email again!
> Yahoo! Toolbar alerts you the instant new Mail arrives.
> http://tools.search.yahoo.com/toolbar/features/mail/
>
>   
Try:

iptables -I FORWARD -j TCPMSS  -o ppp0 -p tcp --tcp-flags SYN,RST SYN 
--clamp-mss-to-pmtu


In the man table of iptables you can see the explanation too.

Re: Please help with my bridge/router

[ArcosCom Linux User]

Note: take care that it will be used into "mangle" table.

iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
                   -j TCPMSS --clamp-mss-to-pmtu


El Mar, 13 de Marzo de 2007, 8:46, Alexandru Dragoi escribió:
> Serge Matovic wrote:
>> Hi to all. I'm a bit hesitant to bug you with this
>> basic problem of mine, and I just hope that I'm not
>> wasting your time.
>> OK, here is the situation. I have a Linux machine with
>> 4 NICs. I have configured 3 of these NICs into a
>> bridge (br0), and the 4th NIC is connected to an ADSL
>> modem (ppp0), which, in turn, is connected to
>> Internet. This NIC is getting a DHCP address from my
>> ISP. I'm using the iptable script from dranch's
>> IP-MASQ-HOWTO. (and I tried many other ones, as well).
>>
>> Now here is the problem: When I try to go Internet
>> from my Client computer (connected to one of the 3
>> NICs of this bridge/router) some sites (like
>> Google.ca) connect and work perfectly, ***BUT*** some
>> sites (like globaltv.com) do not load at all. But I
>> know that they work fine when I connect to them
>> without going thru my bridge/router.
>>
>> Does anyone have a thought on why some sites work and
>> some don't?
>>
>> Many thanks, and best regards,
>> serge.
>>
>>
>>
>>
>> ____________________________________________________________________________________
>> Never miss an email again!
>> Yahoo! Toolbar alerts you the instant new Mail arrives.
>> http://tools.search.yahoo.com/toolbar/features/mail/
>>
>>
> Try:
>
> iptables -I FORWARD -j TCPMSS  -o ppp0 -p tcp --tcp-flags SYN,RST SYN
> --clamp-mss-to-pmtu
>
>
> In the man table of iptables you can see the explanation too.
>
>

Re: Please help with my bridge/router

[Serge Matovic]

Thank you for your reply! I will investigate the
"mangle" line today.  But, I also tried the line
suggested by Alexandru, and it worked.
Thank you all for your generous help!
Best regards,
serge.



--- ArcosCom Linux User <linux@arcoscom.com> wrote:

> Note: take care that it will be used into "mangle"
> table.
> 
> iptables -t mangle -A FORWARD -p tcp --tcp-flags
> SYN,RST SYN \
>                    -j TCPMSS --clamp-mss-to-pmtu
> 
> 
> El Mar, 13 de Marzo de 2007, 8:46, Alexandru Dragoi
> escribió:
> > Serge Matovic wrote:
> >> Hi to all. I'm a bit hesitant to bug you with
> this
> >> basic problem of mine, and I just hope that I'm
> not
> >> wasting your time.
> >> OK, here is the situation. I have a Linux machine
> with
> >> 4 NICs. I have configured 3 of these NICs into a
> >> bridge (br0), and the 4th NIC is connected to an
> ADSL
> >> modem (ppp0), which, in turn, is connected to
> >> Internet. This NIC is getting a DHCP address from
> my
> >> ISP. I'm using the iptable script from dranch's
> >> IP-MASQ-HOWTO. (and I tried many other ones, as
> well).
> >>
> >> Now here is the problem: When I try to go
> Internet
> >> from my Client computer (connected to one of the
> 3
> >> NICs of this bridge/router) some sites (like
> >> Google.ca) connect and work perfectly, ***BUT***
> some
> >> sites (like globaltv.com) do not load at all. But
> I
> >> know that they work fine when I connect to them
> >> without going thru my bridge/router.
> >>
> >> Does anyone have a thought on why some sites work
> and
> >> some don't?
> >>
> >> Many thanks, and best regards,
> >> serge.
> >>
> >>
> >>
> >>
> >>
>
____________________________________________________________________________________
> >> Never miss an email again!
> >> Yahoo! Toolbar alerts you the instant new Mail
> arrives.
> >>
> http://tools.search.yahoo.com/toolbar/features/mail/
> >>
> >>
> > Try:
> >
> > iptables -I FORWARD -j TCPMSS  -o ppp0 -p tcp
> --tcp-flags SYN,RST SYN
> > --clamp-mss-to-pmtu
> >
> >
> > In the man table of iptables you can see the
> explanation too.
> >
> >
> 
> 
> 
> 



 
____________________________________________________________________________________
8:00? 8:25? 8:40? Find a flick in no time 
with the Yahoo! Search movie showtime shortcut.
http://tools.search.yahoo.com/shortcuts/#news

Re: Please help with my bridge/router

[Serge Matovic]

Alexandru !!! THANK YOU/THANK YOU/THANK YOU !!!!
I typed in your line (at the end of all of my commands
to setup the bridge and router) and it WORKS !!!
Now, I must find out what your line did to enable
those sites that failed to load before, to load now.

Again, I'm much grateful for your help.
Best to you,
serge.


--- Alexandru Dragoi <alex@zoomnet.ro> wrote:

> Serge Matovic wrote:
> > Hi to all. I'm a bit hesitant to bug you with this
> > basic problem of mine, and I just hope that I'm
> not
> > wasting your time.
> > OK, here is the situation. I have a Linux machine
> with
> > 4 NICs. I have configured 3 of these NICs into a
> > bridge (br0), and the 4th NIC is connected to an
> ADSL
> > modem (ppp0), which, in turn, is connected to
> > Internet. This NIC is getting a DHCP address from
> my
> > ISP. I'm using the iptable script from dranch's
> > IP-MASQ-HOWTO. (and I tried many other ones, as
> well).
> >
> > Now here is the problem: When I try to go Internet
> > from my Client computer (connected to one of the 3
> > NICs of this bridge/router) some sites (like
> > Google.ca) connect and work perfectly, ***BUT***
> some
> > sites (like globaltv.com) do not load at all. But
> I
> > know that they work fine when I connect to them
> > without going thru my bridge/router.
> >
> > Does anyone have a thought on why some sites work
> and
> > some don't?
> >
> > Many thanks, and best regards,
> > serge.
> >
> >
> >
> >  
> >
>
____________________________________________________________________________________
> > Never miss an email again!
> > Yahoo! Toolbar alerts you the instant new Mail
> arrives.
> >
> http://tools.search.yahoo.com/toolbar/features/mail/
> >
> >   
> Try:
> 
> iptables -I FORWARD -j TCPMSS  -o ppp0 -p tcp
> --tcp-flags SYN,RST SYN 
> --clamp-mss-to-pmtu
> 
> 
> In the man table of iptables you can see the
> explanation too.
> 


 
____________________________________________________________________________________
8:00? 8:25? 8:40? Find a flick in no time 
with the Yahoo! Search movie showtime shortcut.
http://tools.search.yahoo.com/shortcuts/#news

Re: Please help with my bridge/router

[Martijn Lievaart]

Serge Matovic wrote:
> Alexandru !!! THANK YOU/THANK YOU/THANK YOU !!!!
> I typed in your line (at the end of all of my commands
> to setup the bridge and router) and it WORKS !!!
> Now, I must find out what your line did to enable
> those sites that failed to load before, to load now.
>   

Most of the time, this means you don't allow the 
icmp-fragmentation-needed-but-df-bit-is set packets in. If you don't 
have these rules

-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

right on the top of your ruleset, that is your problem.

/me goes to bed, wondering how many bad recipes for iptables are on the 
net. You're only the third this month....

Post the output of iptables-save so we can examine your ruleset please.

HTH,
M4

Re: Please help with my bridge/router

[Serge Matovic]

Thank you Martijn Lievaart for offering to help. I am
quite new to this topic and I am hesitant to say much,
because it will probably be so stupid. But I must say
that I'm quite proud of my achievement (with all help
from this mailing list) in setting (and making it
work) my home bridge/router/server, all on one Linux
PC.
As you requested here is my script:

=======================================================
#!/bin/sh
### This scriptis is addapted from
http://wiki.linuxquestions.org/wiki/A_basic_firewall_configuration_suitable_for_a_gateway/nat
### BUT modified by me to add my bridge (br0)

ifconfig br0 down
brctl delbr br0
ifconfig eth1 down
ifconfig eth2 down
brctl addbr br0
brctl stp br0 off
brctl addif br0 eth1
brctl addif br0 eth2
ifconfig eth1 down
ifconfig eth2 down
ifconfig eth1 0.0.0.0 up
ifconfig eth2 0.0.0.0 up
ifconfig br0 192.168.0.20 up

ipt=/sbin/iptables
extip=ppp0   # Connected to Sympatico ADSL modem
lan=br0 # My Home LAN

iptables -F
iptables -t nat -F
iptables -t mangle -F

# start firewall
echo 1 > /proc/sys/net/ipv4/ip_forward

# default policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP

# NAT
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# INPUT chain
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A INPUT -i br0 -j ACCEPT
$ipt -A INPUT -i ppp0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
$ipt -A INPUT -p tcp --destination-port 22 -j ACCEPT

# FORWARD chain
$ipt -A FORWARD -i br0 -j ACCEPT
$ipt -A FORWARD -i ppp0 -m state --state
ESTABLISHED,RELATED -j ACCEPT

#The following line solved the inabilty to load some
sites, like globaltv.com. It was suggested by
Alexandru Dragoi after I posted the question to
netfilter@lists.netfilter.org
iptables -I FORWARD -j TCPMSS  -o ppp0 -p tcp
--tcp-flags SYN,RST SYN --clamp-mss-to-pmtu

#The following line was also suggested by ArcosCom
Linux User after I posted the question to
netfilter@lists.netfilter.org in an effort to solve
the inabilty to load some sites, like globaltv.com,
but I haven't tried it yet.
#iptables -t mangle -A FORWARD -p tcp --tcp-flags
SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

exit 0
=======================================================

Thank you, and best regards,
serge.


--- Martijn Lievaart <m@rtij.nl> wrote:

> Serge Matovic wrote:
> > Alexandru !!! THANK YOU/THANK YOU/THANK YOU !!!!
> > I typed in your line (at the end of all of my
> commands
> > to setup the bridge and router) and it WORKS !!!
> > Now, I must find out what your line did to enable
> > those sites that failed to load before, to load
> now.
> >   
> 
> Most of the time, this means you don't allow the 
> icmp-fragmentation-needed-but-df-bit-is set packets
> in. If you don't 
> have these rules
> 
> -A FORWARD -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> -A INPUT -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> 
> right on the top of your ruleset, that is your
> problem.
> 
> /me goes to bed, wondering how many bad recipes for
> iptables are on the 
> net. You're only the third this month....
> 
> Post the output of iptables-save so we can examine
> your ruleset please.
> 
> HTH,
> M4
> 
> 



 
____________________________________________________________________________________
Never miss an email again!
Yahoo! Toolbar alerts you the instant new Mail arrives.
http://tools.search.yahoo.com/toolbar/features/mail/