Lars Täuber <lars.taeuber@xxxxxxx> writes:
> Hi there.
>
> Since some years I have experience with the firewall systems inside linux.
> But now I have a case where I don't know how to debug this.
>
> I exchanged my hand written firewall rules with rules generated from fwbuilder 3.0.5. The kernel used is the one from ubuntu 8.04 (2.6.24-25-server).
>
> $ iptables -V
> iptables v1.3.8
>
> Maybe it's an already known bug in iptables from this old kernel?
>
> All http(s) traffic works exept the one from audibank.de. The start side doesn't show up when called from a computer on the natted side of the local network. When called from the computer doing the firewall/nat it just works.
>>
/../
> Attached is the tcpdump of the http traffic related to audibank.de
>
> What's wrong? Can someone enlighten me please?
>
I'll do some guessing here. It looks like the first large (MSS-sized)
segment is lost. I've seen this happening in networks where Path MTU
Discovery didn't work (because ICMP Fragmentation Needed was
filtered).
What I would try is to "clamp" the advertised MSS for upstream TCP
segments to something low (like 300 bytes), to see if that solves your
problem. See iptables(8) for details on how to do that.
(Low MSS will increase protocol overhead, so you probably don't want
to clamp MMSes for all outgoing traffic.)
Best regards,
Mattias
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
