networking behind firewall

[slomo]

I'm having some problems with networking behind a firewall, running firehol.
firehol runs on the gateway/router with no problems, any computor, including this one, is able to access the net and display web pages.
The problem I'm encountering is my wife's laptop, or any computor execept this one, she has a yahoo mail account, she is able to get to the log in page, but then the when she goes to the inbox, the dreaded "unable to display web page " error pops up. I am able to access her's and my yahoo mail accounts from this box.If I connect her laptop directly to the DSL modem, she can connect just fine.
So I believe that something within the firehol/iptables is not correctly forwarding some traffic.
I have posted iptables -L at:
http://pastebin.com/m7c7933e4
firehol.conf below:
FIREHOL_LOG_MODE="ULOG"
interface eth0 interface1 src "192.168.2.0/24" dst 192.168.2.1
policy drop
server ICMP accept
server cups accept
server dhcp accept
server dns accept
server ms_ds accept
server ntp accept
server samba accept
client all accept
interface eth1 interface2 src "192.168.2.0/24" dst 192.168.2.2
policy drop
server ICMP accept
server cups accept
server dhcp accept
server dns accept
server ms_ds accept
server ntp accept
server samba accept
client all accept
interface ppp0 interface3 src not "${UNROUTABLE_IPS} "
policy drop
protection strong
server ntp accept
client all accept
# Router No 1.
router router1 inface eth0 outface eth1 src "192.168.2.0/24" dst "192.168.2.0/24"
masquerade
route all accept
# Router No 2.
router router2 inface eth0 outface ppp0 src "192.168.2.0/24" dst not "${UNROUTABLE_IPS} "
masquerade
route all accept
# Router No 3.
router router3 inface eth1 outface eth0 src "192.168.2.0/24" dst "192.168.2.0/24"
masquerade
route all accept
# Router No 4.
router router4 inface eth1 outface ppp0 src "192.168.2.0/24" dst not "${UNROUTABLE_IPS} "
masquerade
route all accept
# Router No 5.
router router5 inface ppp0 outface eth0 src not "${UNROUTABLE_IPS} " dst "192.168.2.0/24"
masquerade
route all accept
# Router No 6.
router router6 inface ppp0 outface eth1 src not "${UNROUTABLE_IPS} " dst "192.168.2.0/24"
masquerade
route all accept
If some knowledgeable person would be kind enough to point me in the correct direction, I would be grateful
Thanks Jerry
aka slomo

[gerdesj]

[slomo]

This computor, bluestreak, is able to connect to yahoo and access any email accounts without problem.
bluestreak is a router/firewall connected to the net via dsl modem, running firehol
other computors are connected to bluestreak via 4 port ethernet hub
other computors are able to surf the net with no problems
other computors cannot login into yahoo mail OS does not seem to matter, i've tried several livecd's
there are no proxies on bluestreak.
Thanks
jerry

[Hu]

When posting iptables rules, the output from iptables-save -c is more desirable, since it shows all tables at once and includes counter information, which can indicate whether rules are being missed.

What exactly happens when you try to log in to the Yahoo mail? You said your wife's computer gives "page cannot be displayed," but that can be caused by a variety of factors. Try emerging net-analyzer/tcpdump on bluestreak and have it monitor the login attempt. Run it as tcpdump -i any -n -v. If you do not see anything unusual in the output, post it here for us to examine. Be careful not to include passwords in the output. I do not expect Yahoo would transmit passwords cleartext, but check to be sure.

[slomo]

iptables-save -c posted at:
http://pastebin.com/m5f086d39
login to yahoo email is fine, when attempting to go to inbox the web page is never displayed
tcpdump -i any -n -v posted at:
http://pastebin.com/m4c1fb835
Thanks for the help
jerry

[Hu]

That tcpdump is extremely noisy. What were you running while it was capturing?

Based on your use of PPP and the symptom described, I am going to guess that this is an MTU problem. Try adding a rule to the mangle table to clamp the MSS: iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu. See man iptables in the section for the TCPMSS target for an explanation of what this does.

[slomo]

ok, finally had sometime for further troubleshooting.
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu resulted in:
iptables: No chain/target/match by that name
firehol doc's suggest to put "tcpmss auto" at the top of the config file, that errors with a line number matching the tcpmss auto line in the config.
continueing to look for a solution, I ended up changing pppoe.conf
to :
#CLAMPMSS=1412 < this was uncommented
CLAMPMSS=no
and /etc/conf.d/net
# "mru 1460"
# "mtu 1460"
commenting out both lines.
this now seems to work, but you can bet I'll be on the look-out for any problems.
If there are no problems over the next few days, I'll add solved to the title.
Thank you for all the assistance.
Jerry

[mastermind456]

I ran into a similar problem with my home network.

My ISP's (Comcast) DHCP server was returning a MTU of 576 to my Gentoo router -- good for dial-up, crap for anything else. Any Linux machine behind the router would work fine, however WinXP/2003 simply refused to fragment below ~590.

Manually setting a MTU of 1500 in /etc/conf.d/net solved the problem.
_________________
Do not taunt Happy Fun Ball.