problem with NAT on 2.4

problem with NAT on 2.4

[Stephan von Krawczynski]

Hello,

I am using a SuSE 7.3 distro kernel 2.4.10 and ran into some really strange
problem with NAT. I have a private network setup (192.168.3.x) with win-clients
(win98, W2K) and a variety of IE-browsers. From this network I wanted to grant
direct access to the internet via NAT. Basically it works, but what does not
work is a http-connection from _any_ tested win client over linux NAT to a
certain MS IIS 5.0.
I wouldn't be that bothered if the exact same clients wouldn't connect
flawlessly over a 50 bucks DSL-router to the same IIS. Other servers (whatever
I tried) seem to work, but not the really important one (Murphy of course ;-).
Does anybody have an idea why NAT in 2.4.10 wouldn't work like NAT in some
cheap dsl-router equipment regarding http-connections?
Is there any sense in upgrading to 2.4.15-preX?
I even tried some gateway software based on windoze that is able to NAT - and
it works too! I pretty much ran out of ideas...

Regards,
Stephan

Re: problem with NAT on 2.4

[Ricardo Galli]

 > Does anybody have an idea why NAT in 2.4.10 wouldn't work like NAT in some
 > cheap dsl-router equipment regarding http-connections?
 > Is there any sense in upgrading to 2.4.15-preX?
 > I even tried some gateway software based on windoze that is able to NAT - 
and
 > it works too! I pretty much ran out of ideas...

Did you disable ECN? (echo 0 > /proc/sys/net/ipv4/tcp_ecn)

Did you try a connection to port 80 from the Linux box?

--ricardo

Re: problem with NAT on 2.4

[Stephan von Krawczynski]

On Tue, 20 Nov 2001 20:54:43 +0100
Ricardo Galli <gallir@uib.es> wrote:

> 
>  > Does anybody have an idea why NAT in 2.4.10 wouldn't work like NAT in some
>  > cheap dsl-router equipment regarding http-connections?
>  > Is there any sense in upgrading to 2.4.15-preX?
>  > I even tried some gateway software based on windoze that is able to NAT - 
> and
>  > it works too! I pretty much ran out of ideas...
> 
> Did you disable ECN? (echo 0 > /proc/sys/net/ipv4/tcp_ecn)

Is 0. I didn't explicitely disable, it only happens to be so.

> Did you try a connection to port 80 from the Linux box?

Now this is interesting:

I try a simple telnet www.thedeadman.com 80 (I will post the publicly available
servers name if you want me to) and this is what happens:

not working: (connection fails)
2.0.39, some 2.2.18, 2.4.10, 2.4.13, some 2.2.19

working:
some 2.2.18, some 2.2.19, 2.4.5, 2.4.15-pre3, 2.4.15-pre7

?

Regards,
Stephan

Re: problem with NAT on 2.4

[Mike Fedyk]

On Tue, Nov 20, 2001 at 09:11:28PM +0100, Stephan von Krawczynski wrote:
> On Tue, 20 Nov 2001 20:54:43 +0100
> Ricardo Galli <gallir@uib.es> wrote:
> 
> > 
> >  > Does anybody have an idea why NAT in 2.4.10 wouldn't work like NAT in some
> >  > cheap dsl-router equipment regarding http-connections?
> >  > Is there any sense in upgrading to 2.4.15-preX?
> >  > I even tried some gateway software based on windoze that is able to NAT - 
> > and
> >  > it works too! I pretty much ran out of ideas...
> > 
> > Did you disable ECN? (echo 0 > /proc/sys/net/ipv4/tcp_ecn)
> 
> Is 0. I didn't explicitely disable, it only happens to be so.
> 
> > Did you try a connection to port 80 from the Linux box?
> 
> Now this is interesting:
> 
> I try a simple telnet www.thedeadman.com 80 (I will post the publicly available
> servers name if you want me to) and this is what happens:
> 
> not working: (connection fails)
> 2.0.39, some 2.2.18, 2.4.10, 2.4.13, some 2.2.19
> 
> working:
> some 2.2.18, some 2.2.19, 2.4.5, 2.4.15-pre3, 2.4.15-pre7

Did you try running tcpdump on the affected server?

Re: problem with NAT on 2.4

[Stephan von Krawczynski]

On Tue, 20 Nov 2001 16:09:44 -0800
Mike Fedyk <mfedyk@matchmail.com> wrote:

> Did you try running tcpdump on the affected server?

Well, it didn't let me come this far. It just send no packets back at all in
case of not connecting.

But today, the situation is different. I tried several kernels with several
source IPs yesterday night and came to the conclusion that it cannot be a
kernel problem: the same problem arised and vanished on identical disks, but
with different IPs.
So I came to the conclusion that this US-located webhoster in question found a
really nice way to limit traffic by blacklists or some weird IP pattern
matching code, and guess what: _today_ _all_ test configurations _work_.

There are really strange people out there ;-)

This thread is closed.

Thank you for listening. Sorry for wasting your time.

Stephan