From: Ralf <rm@amitrader.com>
To: netfilter@vger.kernel.org
Subject: Re: IP forwarding on iptables router box no longer working after Debian upgrade; can ping but not get http request from outside hosts
Date: Wed, 25 Feb 2009 20:07:07 +0100 [thread overview]
Message-ID: <go44sr$pcu$1@ger.gmane.org> (raw)
In-Reply-To: <20090225151053.GA32332@whitehail.bostoncoop.net>
Try this script. It worked for me:
http://tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html#RC.FIREWALL-IPTABLES
There are also furthergoing scripts in that document.
Adam Kessel wrote:
> I have a simple home router iptables setup. The router now runs Debian
> Lenny; the client runs Ubuntu. Since the Debian upgrade, the forwarding
> setup no longer works properly.
>
> The iptables router has two NICs; one connects to the cable modem, the
> other to an internal switch. Router is running Linux 2.6.26, iptables
> 1.4.2.
>
> The router box has no network issues with the Internet. I can ping, surf
> websites, etc..
>
> The client box has no problems talking to the router. I can ssh to the
> router, mount NFS shares, etc..
>
> Before the Lenny upgrade, the router box was forwarding Internet traffic
> from the client to the Internet without trouble.
>
> After the Lenny upgrade, I can no longer make any connection from the
> client to the Internet that transmits more than few bytes. I can ping
> from the client, do DNS lookups, and even get a short error message from
> an external website by telnetting from the client to port 80 on the
> external website and sending an invalid requst. If I send a *valid*
> request, however (e.g. GET /index.html HTTP/1.0), I get no response. The
> connection just times out.
>
> /proc/net/ip_conntrack shows all the relevant connections in CLOSE_WAIT
> or TIME_WAIT status.
>
> sysctl is properly configured:
>
> net.ipv4.conf.all.forwarding = 1
>
> I have ip_masquerading enabled.
>
> I don't think this is a problem with the forwarding setup, since I am
> able to ping and make an initial HTTP connection to external hosts from
> the internal client. It's only when more than a few bytes are supposed to
> come back that it times out.
>
> Finally, just as an experiment, I tried reducing the MTU packet size on
> the client, but it made no difference.
>
> Nothing relevant appears in syslog or kernel logs. I tried logging
> packets in invalid state; no luck.
>
> Any suggestions on how to fix or further troubleshoot this?
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2009-02-25 19:07 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-25 15:10 IP forwarding on iptables router box no longer working after Debian upgrade; can ping but not get http request from outside hosts Adam Kessel
2009-02-25 19:07 ` Ralf [this message]
2009-02-25 21:15 ` Brian Austin - Standard Universal
2009-02-25 21:34 ` Adam Kessel
2009-02-25 23:53 ` Adam J. Kessel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='go44sr$pcu$1@ger.gmane.org' \
--to=rm@amitrader.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.