Re: ip masquerading

To: debian-user@lists.debian.org
Subject: Re: ip masquerading
From: Yusuf <yusufad@myrealbox.com.DELME>
Date: Tue, 16 Nov 2004 03:11:38 -0600
Message-id: <[🔎] cncgbq$ijp$1@sea.gmane.org>
Reply-to: yusufad@myrealbox.com
In-reply-to: <[🔎] 10a06e6004111217544c9714de@mail.gmail.com>
References: <[🔎] 10a06e6004111019038248d6a@mail.gmail.com> <[🔎] 200411110757.02133.alan@chandlerfamily.org.uk> <[🔎] 20041111121420.GD2359@sungate.co.uk> <[🔎] 10a06e6004111217544c9714de@mail.gmail.com>

Your firewall rules look, uh, ugly, meaning, not meant for human eyes.You should try to isolate your problem from bottom to top:

Try a minimalistic firewall. Just for testing, of course, as this istotally insecure:


# Clear all rules
/sbin/iptables -F; /sbin/iptables -t nat -F; /sbin/iptables -t mangle -F

# Enable Masquerading
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

If this solves your problems, then you should think about changingfirehol, making the firewall by hand (but with the great help offwbuilder), or (yuck!) trying to "debug" your current firehol rules.


They are messing with the maximum segment size:

YN tcpmss match 1400:1536 TCPMSS clamp to PMTU

trying to divide oversized packets to the maximum transmission unit.The MTU is traditionally a source of metaphysical and NAT troubles.

The problem could also probably come from your connection settings. Trydifferent connections. You are over "fiver"? Try a dial-up for a change.

DSL? Then maybee the aforementioned clamp is clashing with the oneprovided by pppoe. Check the config in/etc/ppp/providers/<your-config>. Watch for the syndrome of the RoaringPenguin: a few weeks ago my router suddenly stopped NATing, the onlyclue being an obscure cry in /var/log/messages:


Sep 24 19:45:48 severo pppd[1770]: Couldn't increase MTU to 1500

The dreaded MTU had again stroke! Well, more or less. The problemresulted from the inclusion of the rp-pppoe.so plugin in my DSL configafter an update of pppoeconf. Or so I believe.

Anyway, keep islolating the problem, using different frontends, configs,connections, machines, religions, whatever, until you corner it in itsobscure burrow, and then, and then...!

I have never recommended or performed a Linux reinstall becouse of"soft" troubles (except that time when the filesystem went on vacation),but there is always that option: partial or full reinstallation, quitelike in the ol' winbugs days. But much cleaner and quicker, of course.


Good luck.  You'll need it ;-)

Reply to:

Follow-Ups:
- Re: ip masquerading
  - From: Daniel Asarnow <dasarnow@gmail.com>

References:
- ip masquerading
  - From: Daniel Asarnow <dasarnow@gmail.com>
- Re: ip masquerading
  - From: Alan Chandler <alan@chandlerfamily.org.uk>
- Re: ip masquerading
  - From: Dave Ewart <davee@sungate.co.uk>
- Re: ip masquerading
  - From: Daniel Asarnow <dasarnow@gmail.com>

Prev by Date: scanimage: Error during device I/O
Next by Date: Re: apt .v. aptitude (was Re: how to remove exim4 without removing mysql-server?)
Previous by thread: Re: ip masquerading
Next by thread: Re: ip masquerading
Index(es):
- Date
- Thread