Re: ip masquerading
Thanks for the advice. It looks like I'll be at this for a while...if
I can't make any headway with it, I'll ask for more help
Thanks again,
da
On Tue, 16 Nov 2004 03:11:38 -0600, Yusuf <yusufad@myrealbox.com.delme> wrote:
> Your firewall rules look, uh, ugly, meaning, not meant for human eyes.
> You should try to isolate your problem from bottom to top:
>
> Try a minimalistic firewall. Just for testing, of course, as this is
> totally insecure:
>
> # Clear all rules
> /sbin/iptables -F; /sbin/iptables -t nat -F; /sbin/iptables -t mangle -F
>
> # Enable Masquerading
> echo 1 > /proc/sys/net/ipv4/ip_forward
> /sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>
> If this solves your problems, then you should think about changing
> firehol, making the firewall by hand (but with the great help of
> fwbuilder), or (yuck!) trying to "debug" your current firehol rules.
>
> They are messing with the maximum segment size:
>
> YN tcpmss match 1400:1536 TCPMSS clamp to PMTU
>
> trying to divide oversized packets to the maximum transmission unit.
> The MTU is traditionally a source of metaphysical and NAT troubles.
>
> The problem could also probably come from your connection settings. Try
> different connections. You are over "fiver"? Try a dial-up for a change.
>
> DSL? Then maybee the aforementioned clamp is clashing with the one
> provided by pppoe. Check the config in
> /etc/ppp/providers/<your-config>. Watch for the syndrome of the Roaring
> Penguin: a few weeks ago my router suddenly stopped NATing, the only
> clue being an obscure cry in /var/log/messages:
>
> Sep 24 19:45:48 severo pppd[1770]: Couldn't increase MTU to 1500
>
> The dreaded MTU had again stroke! Well, more or less. The problem
> resulted from the inclusion of the rp-pppoe.so plugin in my DSL config
> after an update of pppoeconf. Or so I believe.
>
> Anyway, keep islolating the problem, using different frontends, configs,
> connections, machines, religions, whatever, until you corner it in its
> obscure burrow, and then, and then...!
>
> I have never recommended or performed a Linux reinstall becouse of
> "soft" troubles (except that time when the filesystem went on vacation),
> but there is always that option: partial or full reinstallation, quite
> like in the ol' winbugs days. But much cleaner and quicker, of course.
>
> Good luck. You'll need it ;-)
>
> --
>
>
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
Reply to: