Re: Masquerade stopped working?!?!

[Alistair Tonner <Alistair@nerdnet.ca>]

On August 3, 2003 12:06 pm, dummy1@gazeta.pl wrote:
> > Have you done any logging?
> > If your linux box can browse then the problem is the linux box.
> > check that ip forwarding is working and that there's is absolutely
>
> no
>
> > packets being dropped by mistake and that it's forwarding..
>
> I have done logging and everything seems to be ok. Packets are going
> out FORWARD chain. To be sure I remove all rules which can drop
> packets and every thing is ok. It looks like ISP is dropping
> packets.
>
> > The only other thing possible is that the MTU could be too high
>
> and needs to
>
> > be lowered if the workstations are at 1500 and your linux is at
>
> 1400 or
>
> > there abouts.. try forcing all MTUs to a lower value.. (research
>
> it on
>
> > google).
>
> I have tried diffrent values of MTUs (workstation, box): (1500,1500)
> , (500,1500), (500,500), (300,500), (575,1500) and still nothing.
>
> I have even used a TCPMSS target:
> iptables -A FORWARD -p TCP --tcp-flags SYN,RST SYN -j TCPMSS
> --clamp-mss-to-pmtu
> and still nothing. It looks like all tcp/udp communication from
> local machine to internet isn't working. Packets are going out linux
> box. I have done logging:
> iptables -A FORWARD -o eth0 -j LOG
> and the results are like this:
> IN=eth1 OUT=eth0 SRC=10.1.1.14 DST=212.77.100.101 LEN=60 TOS=0x00
> PREC=0x00 TTL=63 ID=24078 DF PROTO=TCP SPT=32777 DPT=80 WINDOW=2144
> RES=0x00 SYN URGP=0
> I have added logging incoming packets:
> iptables -A INPUT -i eth0 -j LOG
> and... silence. No packet are coming back.

If the packets LEFT via the FORWARD chain, they should come BACK through the 
	FORWARD chain (if nat is working).  if you used -A to add the logging rule in 
the FORWARD chain
        it is the last rule in the chain.  
	try 
        iptables -I FORWARD 1 -o eth0 -j LOG --log-prefix Forward_out:
	iptables -I FORWARD 1 -i eth0 -j LOG --log-prefix Forward_in:

	(unnnnhhh someone doublecheck the syntax on that for me .. I'm half asleep)
	
	to catch packets in BOTH directions on the FORWARD chain.



>
> > -----Original Message-----
> > From: netfilter-admin@lists.netfilter.org
> > [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of
>
> dummy1@gazeta.pl
>
> > Sent: Sunday, August 03, 2003 6:41 PM
> > To: netfilter@lists.netfilter.org
> > Subject: Masquerade stopped working?!?!
> >
> >
> > I have a standard home network configuration:
> >
> > my local network 10.1.1.0/24
> >
> >
> >     eth1 10.1.1.1
> > +----------------------+
> >
> > |my firewall/router box|
> >
> > +----------------------+
> >    eth0 192.168.1.92
> >
> >
> >       192.168.1.1
> > +----------------------+
> >
> > |     foreign ISP      |
> >
> > +----------------------+
> >
> >
> >          Internet
> >
> > To connect coumputers from my local network to the internet I used
> > iptables and masquerade (snat was working to). Everything was
> > working fine since one day. Suddenly, about one week ago, machines
> > from local network have stopped seeing Internet, but my box is
> > working fine. I suspect my ISP doing some nasty dirty tricks. Is
>
> it
>
> > possible that ISP can recognize packets which are coming from my
> > local network and drops it? And how should I configure my box to
>
> go
>
> > around this problem? Please help! I spend a couple of days
>
> browsing
>
> > Internet and reading tons of documention and still know nothing.
> >
> > I give you some more details what I have tested. Maybe it helps
>
> you
>
> > to find out what the problem is.
> >
> > As I said everything is working fine on my box. Local network is
> > working fine too. From local machine I can see my box. Problem
> > starts when I want anything from internet. Nothing was working:
> > ping, http, dns... So I thought the problem is that local machine
> > can't see machines from internet because host names are not
> > resolved. I have installed bind (dns server) on my box. Then dns
> > starts working. And pings are working to the foreing hosts, but
> > nothing else. Browser finds host and no data is received, ssh can
>
> 't
>
> > connect, and so on. What is going on?
> > I have some firewall rules on my box. To be sure I removed them
>
> all
>
> > but one:
> > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> >
> > Any suggestion? Who can help?
> >
> > I know very well iptables and netfiltering. I create many
>
> firewalls
>
> > with diffrent configurations. In this case I am fool.
> >
> > Jakub

-- 

	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!