Re: strange nat behaviour
Francois Gouget <firstname.lastname@example.org> writes:
> On Mon, 7 May 2001, Michel Decima wrote:
> > Hello everybody
> > I'm using a linux box with netfilter to masquerade my home LAN
> > and I have (very) strange behaviour whith some web sites: They
> > are not reachable by the masqueraded workstation (but I can read
> > them from the firewall). After the browser says 'connected to X'
> > the connections stalls. I've checked the ECN feature, and it is
> > not compiled in the kernel.
> This looks like an MTU problem. You may want to try to lower the
> MTU on your workstation and see if it works better.
> I had the same problem here when I configured my desktop as a
> firewall. I could access some web sites but not others, ftp dir
> would work but not getting files, I could get some email but not
> all. I read that it was because I use both pppoe and masquerading
> (still ipchains here) because somewhere 8 bytes are added. Once I
> set the MTU on the masqueraded machines to 1492 (or 1460) it worked
Alternatively, open up ICMP 3 both ways on your firewall. The
ipchains way of doing this is:
ipchains -A input -s any/0 3 -d $EXT_IP -i $EXT -p icmp -j ACCEPT
ipchains -A output -s $EXT_IP 3 -d any/0 -i $EXT -p icmp -j ACCEPT
where EXT_IP is your external IP address, EXT is the external ethernet
device (eth0, eth1, whatever).
This allows normal TCP mechanisms to reduce the MTU automatically.