On Thu, Apr 03, 2008 at 04:59:26AM -0700, chindea mihai wrote: > Well all I had to do, was to increase Time to live, on PRerouting, so the firewall to be able to forward the packet. > This litttle baby did the job. > iptables -t mangle -A PREROUTING -i eth1 -j TTL --ttl-inc 1 you don't normally need to do this, you might want to talk to your isp and ask them why they do it, or ask on one of the user forums see if they have the same problem. Some thing else to consider as well is maybe to install squid on the firewall. > > Manny Thanks Again > Mihai > > ----- Original Message ---- > From: chindea mihai <misubs24@yahoo.com> > To: Bonnel Christophe <mage.tophinus@free.fr> > Cc: debian-amd64@lists.debian.org > Sent: Thursday, April 3, 2008 8:24:51 AM > Subject: Re: Fw: NAT and IPTABLES problem > > Hi > > I usually used the host name.: ping yahoo.com. But the translate between hostname and hostaddress seems to work fine.And yeah the DND server, for subnet is my gateway. > I did reboot my gateway a couple of times, and it didn't make any difference. > My laptop has Debian Lenny installed, and windows, but I'm usually using linux. > I don't know what this "ifconfig mtu 1450" was suppose to do but it's not working, I mean it's kinda obvious that's not working, cause I got no device with that name, and that's exactly the encountered error: > > work:/#ifconfig mtu 1450 > SIOCSIFADDR: no such device > mtu: ERROR while getting interface flags: No such device > work:/# > > I tried those commands, and verified with cat, they seem to succeed, but unfortunately no result,same problem, ping isn't working. > > Now, by mistake I tried to ping the gateway provided by my ISP, from my laptop, and it's working. I mean, I get the reply, on my laptop. I may be wrong but I guess IPtables mess up the ports, of course I couldn't figure it out why. > > Mihai, > > ----- Original Message ---- > From: Bonnel Christophe <mage.tophinus@free.fr> > To: chindea mihai <misubs24@yahoo.com> > Cc: debian-amd64@lists.debian.org > Sent: Wednesday, April 2, 2008 6:31:20 PM > Subject: Re: Fw: NAT and IPTABLES problem > > What kind of ping do you use ? ping www.yahoo.com or ping 216.109.112.135 ? > If you ping www.yahoo.com, i think dns server is your gateway, isn't it ? > > Ok, so your vmware is installed of your gateway. It may not use your > debian as gateway and go directly through your eth2 interface .... > > It doesn't seem that the problem comes from the iptables or kernel > version... > > Do you reboot your gateway at least one time since the problem starts ? > > > It becomes very difficult. I hope (and assume) your laptop is linux > too... Can you try this on your laptop : > > ifconfig mtu 1450 > echo "0" > /proc/sys/net/ipv4/tcp_window_scaling > echo "0" > /proc/sys/net/ipv4/tcp_ecn > (verify the values with "cat" and "ifconfig" commands) > > And now try to ping and give us the result ? Does it works or not ? > > Christophe > > > chindea mihai a écrit : > > Hi, > > > > After restarting iptables: > > > > /etc/network# iptables -t filter -L FORWARD -v -n > > Chain FORWARD (policy DROP 0 packets, 0 bytes) > > pkts bytes target prot opt in out source > > destination > > 20 1032 ACCEPT 0 -- eth2 eth1 192.168.5.0/24 > > 0.0.0.0/0 > > 0 0 ACCEPT 0 -- * * 0.0.0.0/0 > > 0.0.0.0/0 state RELATED,ESTABLISHED > > 0 0 LOG 0 -- * eth1 0.0.0.0/0 > > 192.168.5.0/24 LOG flags 0 level 4 > > 0 0 DROP 0 -- * eth1 0.0.0.0/0 > > 192.168.5.0/24 > > 0 0 LOG 0 -- * * 0.0.0.0/0 > > 0.0.0.0/0 LOG flags 0 level 4 > > 0 0 DROP 0 -- * * 0.0.0.0/0 > > 0.0.0.0/0 > > /etc/network# > > > > /etc/network# iptables -t nat -L POSTROUTING -v -n > > Chain POSTROUTING (policy ACCEPT 51 packets, 2847 bytes) > > pkts bytes target prot opt in out source > > destination > > 16 888 MASQUERADE 0 -- * eth1 192.168.5.0/24 > > 0.0.0.0/0 > > /etc/network# > > > > After Adding those two rulles: > > > > General forward : IN=eth2 OUT=eth1 SRC=192.168.5.10 > > DST=216.109.112.135 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=234 > > PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=12 > > General forward : IN=eth2 OUT=eth1 SRC=192.168.5.10 > > DST=216.109.112.135 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=235 > > PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13 > > General forward : IN=eth2 OUT=eth1 SRC=192.168.5.10 > > DST=216.109.112.135 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=236 > > PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=14 > > General forward : IN=eth2 OUT=eth1 SRC=192.168.5.10 > > DST=216.109.112.135 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=237 > > PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=15 > > So you were right... > > > > The rest of informations: > > /etc/network# iptables --version > > iptables v1.3.6 > > /etc/network# uname -r > > 2.6.18-6-amd64 > > > > About Vmware, I suppose your're thinking to vmware esx Server cause > > that is OS independent. I'm using vmware workstation, which is > > installed over Debian, but as Alex said, vmware has it's own network > > modules. Ping attemps from an guest OS it's working fine. > > > > Thanks, > > Mihai > > > > > > You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost. > > > > > > ____________________________________________________________________________________ > You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost. > http://tc.deals.yahoo.com/tc/blockbuster/text5.com -- "I'm so pleased to be able to say hello to Bill Scranton. He's one of the great Pennsylvania political families." - George W. Bush 09/15/2003 Drexel Hill, Penn.
Attachment:
signature.asc
Description: Digital signature