RE: masquerading

"Mark E. Donaldson" <markee@xxxxxxxxxxxxxxx> · Thu, 11 Sep 2003 22:04:29 -0700

This 
appears to be a classic case of ICMP type 3 code 0 packets being dropped by your 
ISP.  Some web sites are working for you because the packets are getting 
there, and the server's return packets are getting back to you just fine. 
 The sites that appear to be "hanging" are probably due to the DF packets 
being dropped because either a reduced MTU or fragmentation is needed.  
However, if the ICMP Path MTU messages are being dropped, your system is not 
aware of this.  Add this rule to your script and see if your problem 
corrects itself:

$IPT 
-t filter -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS 
--clamp-mss-to-pmtu.

Since 
all of your default policies are set to ACCEPT and you are going out a ppp0 
interface, I'll be shocked to find this is not the problem based on the 
information you have supplied.

-----Original Message-----
From: 
netfilter-admin@xxxxxxxxxxxxxxxxxxx 
[mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx]On Behalf Of Wendy 
Moore
Sent: Thursday, September 11, 2003 7:10 PM
To: 
netfilter@xxxxxxxxxxxxxxxxxxx
Subject: 
masquerading

  Hi All,

  I want to setup a internet gateway/firewall for my local network by using 
  iptables:

  iptables --table nat --append POSTROUTING --out-interface ppp0 -j 
  MASQUERADE
  ip forwarding is enabled,....

  I can browse on a local workstation to eg. www.openldap.org
  (Everything works fine on this site) However other websites do not work eg. 
  www.shoutcast.com. These sites are 
  online (tested them by browsing on the FW computer). 
  The browser says it is finding the website, but is waiting for a reply?
  Anyone any idea?
  FILTER table

  Chain INPUT (policy ACCEPT)
  target prot opt source destination 
  Chain FORWARD (policy ACCEPT)
  target prot opt source destination 
  Chain OUTPUT (policy ACCEPT)
  target prot opt source destination 

  NAT table:

  Chain PREROUTING (policy ACCEPT)
  target prot opt source destination 
  Chain POSTROUTING (policy ACCEPT)
  target prot opt source destination 
  MASQUERADE all -- anywhere anywhere 
  Chain OUTPUT (policy ACCEPT)
  target prot opt source destination 

  Chain PREROUTING (policy ACCEPT)
  target prot opt source destination 
  Chain INPUT (policy ACCEPT)
  target prot opt source destination 
  Chain FORWARD (policy ACCEPT)
  target prot opt source destination 
  Chain OUTPUT (policy ACCEPT)
  target prot opt source destination 
  Chain POSTROUTING (policy ACCEPT)
  target prot opt source destination 

  Do you Yahoo!?
Yahoo! 
  SiteBuilder - Free, easy-to-use web site design 
software