[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: strange nat behaviour

Francois Gouget <fgouget@free.fr> writes:

> On Mon, 7 May 2001, Michel Decima wrote:
> > Hello everybody
> > 
> > I'm using a linux box with netfilter to masquerade my home LAN
> > and I have (very) strange behaviour whith some web sites: They
> > are not reachable by the masqueraded workstation (but I can read
> > them from the firewall). After the browser says 'connected to X'
> > the connections stalls. I've checked the ECN feature, and it is
> > not compiled in the kernel.
>    This looks like an MTU problem. You may want to try to lower the
> MTU on your workstation and see if it works better.
>    I had the same problem here when I configured my desktop as a
> firewall. I could access some web sites but not others, ftp dir
> would work but not getting files, I could get some email but not
> all. I read that it was because I use both pppoe and masquerading
> (still ipchains here) because somewhere 8 bytes are added. Once I
> set the MTU on the masqueraded machines to 1492 (or 1460) it worked
> fine.

Alternatively, open up ICMP 3 both ways on your firewall.  The
ipchains way of doing this is:

ipchains -A input -s any/0 3 -d $EXT_IP -i $EXT -p icmp -j ACCEPT
ipchains -A output -s $EXT_IP 3 -d any/0 -i $EXT -p icmp -j ACCEPT

where EXT_IP is your external IP address, EXT is the external ethernet
device (eth0, eth1, whatever).

This allows normal TCP mechanisms to reduce the MTU automatically.


Reply to: