Nothing is the matter. You're packets destined to (or coming from) zaobao are taking one route, and you're packets to kernel are taking a different route. The difference is, the packets to kernel are going through a router that supports an MTU of less than 1500. Thus, fragmentation is required. However, a router somewhere along this path more than likely contains an ACL that drops ICMP Type 3 Code 4 Fragmentation Required but DF set) packets. Consequently, your system is never notified of the need to reduce the MTU, and all packets are dropped. By reducing your MTU to 1300, you have circumvented the need for fragmentation, and traffic flow to Kernel goes undisturbed and uninterrupted. -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of zhang ping Sent: Tuesday, December 30, 2003 11:38 PM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: iptables-1.2.9, kernel-2.6.0, pppd-2.4.2 ----adsl----linuxbox----lan pppd-2.4.2 (use kernel mode pppoe) iptables-1.2.9 kernel-2.6.0 when I visit www.zaobao.com at lan, it is ok, but I cant visit www.kernel.org, so qi guai. when i set mtu as 1300 at lan, everthins is ok, i can visit all sites. what is the matter, anybody help me? _________________________________________________________________ 享用世界上最大的电子邮件系统― MSN Hotmail。 http://www.hotmail.com
