Try adding a rule to your FORWARD chain to make sure that the TCP MSS value is not the problem. I know that you said you are not changing the value, but give this a try to see if it fixes your problem. iptables -t filter -A FORWARD -j TCPMSS --clamp-mss-to-pmtu I don't think that the missing packets is the culprit of your problem as this is the very nature of TCP (retransmission of unacknowledged packets). Grant. . . . Giacomo wrote: > Good morning, I'm Giacomo Strangolino from Italy. > > I finished developing an ipv4 packet filter with NAT/MASQUERADING and > have been > testing it > for some time with success connecting from home to my ISP named "libero". > > Then i changed ISP to another one, called "telecom" and with great surprise > i discovered that > images from sites and also sites failed to load. > > So now, when i call an ISP all works fine, when i call the other, things go > wrong. > > I NAT machines behind my firewall changing only ips and ports, and > recalculating checksum (ip and tcp/udp) > to adjust such changes. > I do not touch any other field as window size or seq number or ack, since > the only things i manipulate are > addresses and ports. > > I was wondering what i could do to solve, since iptables and ipfw+natd on > freeBSD or winXP sp2 work fine > with this ISP... > > Tweaking with ethereal i found that probably sometimes a tcp segment gets > lost. > > My firewall is a 2.6.12 kernel module which registers with netfilter hooks. > A userspace program sends rules to > kernel via netlink. > > I thank you if you could help me find the way to fix the problem or > understand what could be wrong with an > ISP network and anyway work fine with the other. > > Also any indication of where in iptables source is solved such problem > would be appreciated. > > I attach a corrupted image and the ethereal capture related to it if it > could be useful- > > Thanks a lot in advance. > > Giacomo S. Udine, Italy > >
