internal host can not access hotmail

All of lore.kernel.org
 help / color / mirror / Atom feed

* internal host can not access hotmail
@ 2005-02-21 12:58 Yuwen Dai
       [not found] ` <004c01c51828$eedd0db0$0700a8c0@sistema2>
  2005-02-22  2:55 ` Wenzhuo Zhang
  0 siblings, 2 replies; 7+ messages in thread
From: Yuwen Dai @ 2005-02-21 12:58 UTC (permalink / raw)
  To: netfilter

Dear All,

As an ADSL dialup user, I setup a linux box as my home gateway. Other
computers can access the
internet via the gateway, but can not visit www.hotmail.com. When
opening www.hotmail.com in a web browser, the status bar of the
browser is "wait for loginpassport....", and no page shows up.

But I can successfully browse www.hotmail.com on the linux
gateway itself. This is /etc/ppp/ip-up.d/firewall:

EXTIF="ppp0"
INTIF="eth1"

/sbin/depmod -a
/sbin/insmod ip_tables 
/sbin/insmod ip_conntrack
/sbin/insmod ip_conntrack_ftp
/sbin/insmod ip_conntrack_irc
/sbin/insmod iptable_nat
/sbin/insmod ip_nat_ftp

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "   clearing any existing rules and setting default policy.."
       
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT 
       
$IPTABLES -P OUTPUT ACCEPT 
$IPTABLES -F OUTPUT 
       
$IPTABLES -P FORWARD DROP 
       
$IPTABLES -F FORWARD

$IPTABLES -t nat -F 

echo "   FWD: Allow all connections OUT and only existing and related ones IN" 
       
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state \
ESTABLISHED,RELATED -j  ACCEPT
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT                              
       
$IPTABLES -A FORWARD -j LOG --log-level info

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
       
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE 
       
echo -e "\nrc.firewall-2.4 v$FWVER done.\n" 

This is a very simple rule set that I copied from IPCHAINS-HOWTO.
System info:
# uname -a
Linux sarge 2.4.27-1-386 #1 Wed Dec 1 19:43:08 JST 2004 i686 GNU/Linux
# iptables --version
iptables v1.2.11

# ifconfig
eth0      Link encap:Ethernet  HWaddr 52:54:AB:57:87:9E  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:771 errors:0 dropped:0 overruns:0 frame:0
          TX packets:799 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:298340 (291.3 KiB)  TX bytes:81617 (79.7 KiB)
          Interrupt:5 Base address:0xe400 

eth1      Link encap:Ethernet  HWaddr 00:0A:EB:7B:94:BB  
          inet addr:192.168.1.254  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:11 Base address:0xe800 

ppp0      Link encap:Point-to-Point Protocol  
          inet addr:61.171.9.149  P-t-P:218.1.1.252  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:377 errors:0 dropped:0 overruns:0 frame:0
          TX packets:388 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:263828 (257.6 KiB)  TX bytes:47792 (46.6 KiB)


Furthermore, I installed Debian Woody on the same PC, and use the same
iptables rules.  Everything is OK. The Debian woody info:

Linux yuwen 2.4.18-686 #1 Sun Apr 14 11:32:47 EST 2002 i686 unknown
iptables v1.2.6a

Any advice to diagnose this problem?  I once thought maybe something
wrong with the FORWARD rules, and tried to log the blocked
packages. But there's no log info.

Thanks in advance.

Dai Yuwen


^ permalink raw reply	[flat|nested] 7+ messages in thread

[parent not found: <004c01c51828$eedd0db0$0700a8c0@sistema2>]

* Re: internal host can not access hotmail
       [not found] ` <004c01c51828$eedd0db0$0700a8c0@sistema2>
@ 2005-02-22  1:13   ` Yuwen Dai
  0 siblings, 0 replies; 7+ messages in thread
From: Yuwen Dai @ 2005-02-22  1:13 UTC (permalink / raw)
  To: Luis Nieto; +Cc: netfilter

On Mon, 21 Feb 2005 12:20:52 -0300, Luis Nieto <luismnieto@gmail.com> wrote:
> Try put the DNS servers in the TCP/IP configurations
 
Would you please give me the details?

Best regards,
Dai Yuwen


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: internal host can not access hotmail
  2005-02-21 12:58 internal host can not access hotmail Yuwen Dai
       [not found] ` <004c01c51828$eedd0db0$0700a8c0@sistema2>
@ 2005-02-22  2:55 ` Wenzhuo Zhang
  2005-02-23 14:17   ` Yuwen Dai
  1 sibling, 1 reply; 7+ messages in thread
From: Wenzhuo Zhang @ 2005-02-22  2:55 UTC (permalink / raw)
  To: netfilter

Yuwen Dai wrote:
> Any advice to diagnose this problem?  I once thought maybe something
> wrong with the FORWARD rules, and tried to log the blocked
> packages. But there's no log info.

Probably you're encoutering the Path MTU Discovery problem. There are 
serveral solutions to this problem.

1. Lower the MTU of the network interface of your internal host.

2. Use the clamp-mss-to-pmtu feature of iptables:
    # iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
         --clamp-mss-to-pmtu

3. Use the clamp MSS feature of rp-pppoe (e.g. -m 1412).

Wenzhuo
-- 
Wenzhuo Zhang <wenzhuo@zhmail.com>  GnuPG Key ID 0xBA586A68
Key fpr: 89C7 C6DE D956 F978 3F12  A8AF 5847 F840 BA58 6A68


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: internal host can not access hotmail
  2005-02-22  2:55 ` Wenzhuo Zhang
@ 2005-02-23 14:17   ` Yuwen Dai
  2005-02-24  6:09     ` Wenzhuo Zhang
  0 siblings, 1 reply; 7+ messages in thread
From: Yuwen Dai @ 2005-02-23 14:17 UTC (permalink / raw)
  To: Wenzhuo Zhang; +Cc: netfilter

On Tue, 22 Feb 2005 10:55:27 +0800, Wenzhuo Zhang <wenzhuo@zhmail.com> wrote:
> Yuwen Dai wrote:
> > Any advice to diagnose this problem?  I once thought maybe something
> > wrong with the FORWARD rules, and tried to log the blocked
> > packages. But there's no log info.
> 
> Probably you're encoutering the Path MTU Discovery problem. There are
> serveral solutions to this problem.
> 
> 1. Lower the MTU of the network interface of your internal host.
> 
> 2. Use the clamp-mss-to-pmtu feature of iptables:
>     # iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
>          --clamp-mss-to-pmtu

Thank you.  I used this rule to solved the problem.



> 
> 3. Use the clamp MSS feature of rp-pppoe (e.g. -m 1412).
> 

Now ppp uses a rp-pppoe.so plugin in peers/dsl-provider:
plugin rp-pppoe.so eth0

instead of
pty "/usr/sbin/pppoe -I eth0 -T 80 -m 1452"

So I don't know if I can use an option.

Best regards,
Dai Yuwen


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: internal host can not access hotmail
  2005-02-23 14:17   ` Yuwen Dai
@ 2005-02-24  6:09     ` Wenzhuo Zhang
  2005-02-28  2:33       ` Yuwen Dai
  0 siblings, 1 reply; 7+ messages in thread
From: Wenzhuo Zhang @ 2005-02-24  6:09 UTC (permalink / raw)
  To: netfilter

Yuwen Dai wrote:
>>Probably you're encoutering the Path MTU Discovery problem. There are
>>serveral solutions to this problem.
>>
>>1. Lower the MTU of the network interface of your internal host.
>>
>>2. Use the clamp-mss-to-pmtu feature of iptables:
>>    # iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
>>         --clamp-mss-to-pmtu
> 
> 
> Thank you.  I used this rule to solved the problem.

You are welcome. Actually, the three methods are not really solutions; 
they are workarounds. The real solution is to fix the broken firewalls 
on the Internet, which incorrectly block vital ICMP traffic.

-- 
Wenzhuo Zhang <wenzhuo@zhmail.com>  GnuPG Key ID 0xBA586A68
Key fpr: 89C7 C6DE D956 F978 3F12  A8AF 5847 F840 BA58 6A68


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: internal host can not access hotmail
  2005-02-24  6:09     ` Wenzhuo Zhang
@ 2005-02-28  2:33       ` Yuwen Dai
  2005-02-28  3:11         ` Wenzhuo Zhang
  0 siblings, 1 reply; 7+ messages in thread
From: Yuwen Dai @ 2005-02-28  2:33 UTC (permalink / raw)
  To: Wenzhuo Zhang; +Cc: netfilter

On Thu, 24 Feb 2005 14:09:51 +0800, Wenzhuo Zhang <wenzhuo@zhmail.com> wrote:
> > Thank you.  I used this rule to solved the problem.
> 
> You are welcome. Actually, the three methods are not really solutions;
> they are workarounds. The real solution is to fix the broken firewalls
> on the Internet, which incorrectly block vital ICMP traffic.
> 

One more question:  Why this only affected hosts behind the firewall,
not the firewall itself?

Best regards,
Yuwen


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: internal host can not access hotmail
  2005-02-28  2:33       ` Yuwen Dai
@ 2005-02-28  3:11         ` Wenzhuo Zhang
  0 siblings, 0 replies; 7+ messages in thread
From: Wenzhuo Zhang @ 2005-02-28  3:11 UTC (permalink / raw)
  To: netfilter

Yuwen Dai wrote:
> One more question:  Why this only affected hosts behind the firewall,
> not the firewall itself?

Please refer to RFC 1191 - Path MTU Discovery.

-- 
Wenzhuo Zhang <wenzhuo@zhmail.com>  GnuPG Key ID 0xBA586A68
Key fpr: 89C7 C6DE D956 F978 3F12  A8AF 5847 F840 BA58 6A68


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2005-02-28  3:11 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-02-21 12:58 internal host can not access hotmail Yuwen Dai
     [not found] ` <004c01c51828$eedd0db0$0700a8c0@sistema2>
2005-02-22  1:13   ` Yuwen Dai
2005-02-22  2:55 ` Wenzhuo Zhang
2005-02-23 14:17   ` Yuwen Dai
2005-02-24  6:09     ` Wenzhuo Zhang
2005-02-28  2:33       ` Yuwen Dai
2005-02-28  3:11         ` Wenzhuo Zhang

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.