| View previous topic :: View next topic |
| Author |
Message |
dellcom1800
n00b
Joined: 24 Oct 2006
Posts: 3
|
 Posted: Wed Apr 11, 2007 4:37 pm Post subject: Cant access some websites with new router |
 |
|
I'm using iptables with my new gentoo rounter. everything works BUT for some odd reason a few websites are unaccessable like myspace.com space.com hotmail.com to name a few.
any ideas?
HERE IS MY IPTABLES-SAVE
| Code: | # Generated by iptables-save v1.3.5 on Wed Apr 11 11:30:44 2007
*nat
:PREROUTING ACCEPT [24880:7890932]
:POSTROUTING ACCEPT [81:17940]
:OUTPUT ACCEPT [154:23016]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Wed Apr 11 11:30:44 2007
# Generated by iptables-save v1.3.5 on Wed Apr 11 11:30:44 2007
*filter
:INPUT ACCEPT [4912:5211308]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [29092:8531840]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i ! eth0 -p udp -m udp --dport 67 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i ! eth0 -p udp -m udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i ! eth0 -p tcp -m tcp --dport 0:1023 -j DROP
-A INPUT -i ! eth0 -p udp -m udp --dport 0:1023 -j DROP
-A FORWARD -d 192.168.0.0/255.255.0.0 -i eth0 -j DROP
-A FORWARD -s 192.168.0.0/255.255.0.0 -i eth0 -j ACCEPT
-A FORWARD -d 192.168.0.0/255.255.0.0 -i ppp0 -j ACCEPT
COMMIT
# Completed on Wed Apr 11 11:30:44 2007 |
I have flushed the table and used only -A POSTROUTING -o ppp0 -j MASQUERADE with the nat table and still the same problem
The server can lynx to any website but nething behind the server can not access the affor mentioned sites (including others).
there does not seem to be a pattern the sites the boxes behind the server cant reach but it is constantly those sites only.
help would be greatly appreciated as this is a really annoying problem |
|
| Back to top |
|
 |
Guybrush
Tux's lil' helper
Joined: 06 Feb 2003
Posts: 99
Location: 48°27'N, 11°8'O
|
| Posted: Thu Apr 12, 2007 6:09 pm Post subject: |
|
|
It seems that you are connected via pppoe connection to the internet. Because of the protocol overhead of ppoe (compared to a standard LAN connection) your MTU (max transfer unit) isn't 1500 bytes any longer. That means, that a TCP package can only have 1492 bytes of data (and not 1500 bytes any longer). Some sites block ICMP Fragmentation needed messages and that is the reason, why some sites work as expected and others don't. But there is a simple workaround for this. Just enter the following iptables rule as first rule in the FORWARD Chain:
| Code: | | iptables -I FORWARD -o ppp0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
Hope that solves your problem. |
|
| Back to top |
|
|
dellcom1800
n00b
Joined: 24 Oct 2006
Posts: 3
|
| Posted: Thu Apr 12, 2007 8:45 pm Post subject: |
|
|
| THAT WUS IT! lol thank you and when i had to install the tcpmss in the kernel the description of it was of the problem i have haha oh good stuff |
|
| Back to top |
|
|
|
Networking & Security
