> Hi! > > Are there any issues about netfilter in kernel 2.4.25 ? > > I tried to make a masquerading setup, but all connections from the internal network what is larger than a minimal size are stalls, and just waits waits waits... > > What can it be? > > My ultra-simplified ipfilter (for debugging purpose) is: > > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > iptables -A FORWARD -j ACCEPT > > > . I have a simple two-network-card-gateway server and 192.168.* internal net setup. > . from the server everything is perfect. > . from the internal net, one can ping everything correctly (masquerade is working, just buggy) > . from the internal net every connection initialised correctly, however > large enough (larger than 1 packet?) data is buggy and stalls. > > So, i can reach very short homepages, and can ping from the int net but > everything else will stall. those symptoms point to an MTU issue. the way to check this would be to tcpdump on the outside interface of your firewall for ICMP unreachable messages (tcpdump -n -nn -p -i ppp0 icmp)...look for something along the lines of "need to frag, but DF bit is set" if you see that, you need to lower the MTU/MSS of your clients, either directly on the clients or with some mangling on the firewall. -j
