NAT blocking HTTP .. But only some of it.

[Chris Spiegel <netfilter@happyjack.org>]

I'm having a bit of an issue with IP masquerading: Boxes behind my NAT 
system work, to a degree.  Some protocols seem fine; IRC and rsync both 
appear to work.  HTTP acts very strange, though.

I can issue a HEAD request.  That works fine.  If I issue a GET request that 
results in a 301 redirect, that works fine.  If, on the other hand, I issue 
a GET request that results in a 200 OK, things break down.  The headers are 
sent just fine, as is the \r\n\r\n signalling the end of the headers.  But 
the page never comes.  The same thing happens with a 404.  Headers, no 
body.

FTP is dodgy.  Ftping sometimes gives me just one line of response before 
hanging, sometimes I can log in.  Sometimes I can get directory listings, 
although I've never successfully been able to download a file; I do have 
FTP connection tracking enabled.  It seems to depend on the FTP server.

The precision of the problem would make me think that it's perhaps an issue 
with my ISP, but everything works fine on kernel 2.6.17 (and 2.6.17.14, for 
that matter).  The problem arose in 2.6.18-rc1 and persists to my current 
setup, 2.6.21.5.  I hadn't really noticed it until recently when I put a 
real computer behind the box; till then I only used qemu, and that 
sporadically.

My iptables setup is the following:
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state \
  --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
$IPTABLES -A INPUT -i $INTIF -j ACCEPT

I generally have more rules (not related to NAT), but I've tested with just 
the above, resulting in the same problems.  It seems something happened 
with 2.6.18-rc1, and for the life of me I don't know what.

Chris