Hello, Allen Seelye a écrit : > > I have a PC acting as a firewall and router, using iptables. We have a > Wii-U inside the network and until a few days ago, it had no > connectivity problems at all. I upgraded the firewall PC from Kubuntu > 10.04 to 12.04 and suddenly the Wii-U cannot connect. > > It would appear that this is not a problem with the Wii-U. If I connect > it directly to the Optimum modem, everything works fine. It's something > wonky with the Kubuntu PC, since I upgraded. Nothing in my > iptables.rules has changed. I'm using the same set of rules as before > the upgrade. Did you check with iptables-save that the actual resulting ruleset is the same as before ? > Other things I've tried: > > I've opened the firewall up completely, allowing all traffic through. > I've explicitly allowed all traffic on all ports, to and from the Wii-U. > I've tried running several older kernels. Even the old kernel from the previous version of Ubuntu that ran fine ? > I've tried shutting down apparmor. > > None of these have worked. > > The only thing that did work, was to remove the Kubuntu box completely > and connect my switch directly to the Optimum modem. > > I have no rules in place restricting the Wii-U at all. I do a grep in > syslog for the Wii-U's IP and I get a lot of this: > > -------------------------- > kernel: [ 7236.919902] Invalid packet: IN=eth0 OUT=eth1 > MAC=00:c0:f0:2d:9e:b4:18:2a:7b:85:09:e5:08:00 SRC=192.168.58.38 > DST=23.43.226.90 LEN=1042 TOS=0x00 PREC=0x00 TTL=63 ID=3693 PROTO=TCP > SPT=1772 DPT=443 WINDOW=32768 RES=0x00 ACK PSH FIN URGP=0 > -------------------------- What is the match which produces this message ? Is it based on the INVALID state ? I wonder if a segment with data, FIN and PSH flags is valid... Note that such messages may not be harmful, this could be a duplicate FIN segment from an old forgotten connection. On several cases I have seen a supposedly error message that was actually unrelated to the problem. > If I'm interpreting this correctly, it thinks that there is a problem > with the packets coming from the Wii-U and it's dropping them. I've > tried removing the rule that drops invalid packets and it stopped > putting these warnings in the log, but the Wii-U still can't connect to > the Nintendo network. If the problem is related to connection tracking, then it will affect also the NAT operation, and from the private address in the log I guess you need masquerading. If a packet is in the INVALID state, then it is ignored by the NAT table and leaves the router with its original private source address unmodified (which you can check with a packet capture on the external interface). Such packet will of course be discarded on the public internet. If the TCP connection tracking is over-zealous, you can try to make it more tolerant by setting /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal to 1. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
