Ted - This sounds like a case of ICMP type 3 code 0 packets being dropped by your ISP. Some web sites are working for you because the packets are getting there, and the server's return packets are getting back to you just fine. The sites that appear to be "hanging" are probably due to the DF packets being dropped because either a reduced MTU or fragmentation is needed. However, if the ICMP Path MTU messages are being dropped, your system is not aware of this. Add this rule to your script and see if your problem corrects itself: $IPT -t filter -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu. -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Ted Erickson Sent: Thursday, February 05, 2004 6:55 PM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Major NAT Problem I am somewhat new to IPTables but not to linux. I have a major problem. Some background first... I have a PPoA SDSL connection with Qwest running at 640k/up/down. I have a static block of 8 addresses.....I have a connection from the DSL modem to eth0 on my Redhat 9.0 box and I have my local network pluged into eth1. The only thing running on the linux box is IPTables nothing else. I turned on echo 1 > /proc/sys/net/ipv4/ip_forward and enabled MASQ in several different ways..... no problem. I can surf the internet just fine on my local network machine but I have ONE BIG PROBLEM!!! I can't view a handfull of websites. If I take the linux box out of the picture and throw a cheap Linksys Router on the same DSL connection I can see all the web sites i want. IPTables is blocking something but I don't know what? I can't find any info on the web with this problem. I need to fix this ASAP or I will have to go with something else, but I want to stay with linux. theo _________________________________________________________________ Get some great ideas here for your sweetheart on Valentine's Day - and beyond. http://special.msn.com/network/celebrateromance.armx
