On February 8, 2003 10:58 am, Franck ZOCCOLO wrote: > > -----Message d'origine----- > > De : netfilter-admin@lists.netfilter.org > > [mailto:netfilter-admin@lists.netfilter.org] De la part de Sven Bolt > > Envoyé : samedi 8 février 2003 16:35 > > À : Kevin McConnell; netfilter@lists.netfilter.org > > Objet : Re: Some webpages inaccessible through IPTables > > > > > > No ECN is not enabled in the kernel. The sites are accessible from the > > gateway itself so it's not an MTU issue. What else could it be? > > You're wrong... THIS is an MTU issue... I bet you're using PPPoE to > connect to the internet. This problem should be handled by MTU path > discovery, but some stupid network administrators are blocking all ICMP > packets, and MTU path discovery uses ICMP to do its job. > > Try lowering the MTU of your client hosts to 1492, and you'll be able to > browse the sites you cannot access for now. Even better -- use clamp-mss on the forward chain... like so... $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu This lets you leave the dang clients alone...
