On Thu, Apr 03, 2008 at 02:21:34AM -0700, chindea mihai wrote: > Hi > There's something interesting going on.... Apparently I can browse anything, from my laptop, or any pc in subnet, as far as it's from Romania, but nothing outside. can't explain why romaina only, but (as I pointed out earlier) the reply packets from yahoo.com had a ttl of 1, they where never going to make it to any machine past the firewall. > Anyone has any idea, why I can browse anything on the pc, which is the gateway for subnet, and pc's from subnet can browse only web pages in Romania. And yet VMWare Network modules, manage to establish a perfect connection. So wtf is the problem .... I'm running out of resources. vmware works (I presume because it is running on the firewall machine), it has no hops to the internet. I am guessing if you tried to browse to say bb.co.uk from a box on the inside and did a tcpdump on external interface you would see the reply packets coming back but with a ttl of 1. this could be some sort of crud way to stop you having more than 1 pc behind the internet connection another way to test this is with iptables TTL This is used to modify the IPv4 TTL header field. The TTL field determines how many hops (routers) a packet can traverse until it's time to live is exceeded. Setting or incrementing the TTL field can potentially be very dangerous, so it should be avoided at any cost. Don't ever set or increment the value on packets that leave your local network! mangle table. --ttl-set value Set the TTL value to `value'. --ttl-dec value Decrement the TTL value `value' times. --ttl-inc value Increment the TTL value `value' times. try this iptables -t mangle -I PREROUTING -i eth1 -j TTL --ttl-set 10 this should bump up all the ttl's of any packet coming in from the internet net (eth1) up to 10, this will allow for 9 more packet hops! Alex > > Many Thanks > Mihai > > ----- Forwarded Message ---- > From: Bonnel Christophe <mage.tophinus@free.fr> > To: chindea mihai <misubs24@yahoo.com> > Cc: debian-amd64@lists.debian.org > Sent: Wednesday, April 2, 2008 6:31:20 PM > Subject: Re: Fw: NAT and IPTABLES problem > > What kind of ping do you use ? ping www.yahoo.com or ping 216.109.112.135 ? > If you ping www.yahoo.com, i think dns server is your gateway, isn't it ? > > Ok, so your vmware is installed of your gateway. It may not use your > debian as gateway and go directly through your eth2 interface .... > > It doesn't seem that the problem comes from the iptables or kernel > version... > > Do you reboot your gateway at least one time since the problem starts ? > > > It becomes very difficult. I hope (and assume) your laptop is linux > too... Can you try this on your laptop : > > ifconfig mtu 1450 > echo "0" > /proc/sys/net/ipv4/tcp_window_scaling > echo "0" > /proc/sys/net/ipv4/tcp_ecn > (verify the values with "cat" and "ifconfig" commands) > > And now try to ping and give us the result ? Does it works or not ? > > Christophe > > > chindea mihai a écrit : > > Hi, > > > > After restarting iptables: > > > > /etc/network# iptables -t filter -L FORWARD -v -n > > Chain FORWARD (policy DROP 0 packets, 0 bytes) > > pkts bytes target prot opt in out source > > destination > > 20 1032 ACCEPT 0 -- eth2 eth1 192.168.5.0/24 > > 0.0.0.0/0 > > 0 0 ACCEPT 0 -- * * 0.0.0.0/0 > > 0.0.0.0/0 state RELATED,ESTABLISHED > > 0 0 LOG 0 -- * eth1 0.0.0.0/0 > > 192.168.5.0/24 LOG flags 0 level 4 > > 0 0 DROP 0 -- * eth1 0.0.0.0/0 > > 192.168.5.0/24 > > 0 0 LOG 0 -- * * 0.0.0.0/0 > > 0.0.0.0/0 LOG flags 0 level 4 > > 0 0 DROP 0 -- * * 0.0.0.0/0 > > 0.0.0.0/0 > > /etc/network# > > > > /etc/network# iptables -t nat -L POSTROUTING -v -n > > Chain POSTROUTING (policy ACCEPT 51 packets, 2847 bytes) > > pkts bytes target prot opt in out source > > destination > > 16 888 MASQUERADE 0 -- * eth1 192.168.5.0/24 > > 0.0.0.0/0 > > /etc/network# > > > > After Adding those two rulles: > > > > General forward : IN=eth2 OUT=eth1 SRC=192.168.5.10 > > DST=216.109.112.135 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=234 > > PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=12 > > General forward : IN=eth2 OUT=eth1 SRC=192.168.5.10 > > DST=216.109.112.135 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=235 > > PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13 > > General forward : IN=eth2 OUT=eth1 SRC=192.168.5.10 > > DST=216.109.112.135 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=236 > > PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=14 > > General forward : IN=eth2 OUT=eth1 SRC=192.168.5.10 > > DST=216.109.112.135 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=237 > > PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=15 > > So you were right... > > > > The rest of informations: > > /etc/network# iptables --version > > iptables v1.3.6 > > /etc/network# uname -r > > 2.6.18-6-amd64 > > > > About Vmware, I suppose your're thinking to vmware esx Server cause > > that is OS independent. I'm using vmware workstation, which is > > installed over Debian, but as Alex said, vmware has it's own network > > modules. Ping attemps from an guest OS it's working fine. > > > > Thanks, > > Mihai > > > > > > > ____________________________________________________________________________________ > You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost. > http://tc.deals.yahoo.com/tc/blockbuster/text5.com -- "We want our teachers to be trained so they can meet the obligations, their obligations as teachers. We want them to know how to teach the science of reading. In order to make sure there's not this kind of federal -- federal cufflink." - George W. Bush 03/30/2000 Fritsche Middle School, Milwaukee
Attachment:
signature.asc
Description: Digital signature