[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ping packet loss when size gt 1500

Adam Hardy on 19/10/10 23:16, wrote:
My version of traceroute also has the --mtu option, which tries to
determine the MTU for the route being traced. It looks perhaps like the
firewall for interactivebrokers (IP *may* be blocking too
many ICMP control message types - including the MTU/Fragment messages.

The problem is, it doesn't look good from their point of view. I have a problem but their other 150,000 customers don't. I have a manually configured gateway, iptables firewall and all - their other 150,000 customers use mostly windows, although there are an unknown number of linux users out there - it's a java app.

I have so far only a couple of things to go on - communication with their server shows inexplicable MTU behaviour, and there is a weak link on the British Telecom part of the traceroute.

All tests on my LAN show that I am running normally though. I've tested my mtu size, my firewall, my DHCP, my DNS (now using OpenDNS).

Just remembered that my DSL modem has some dumb iptables firewall with the following rules:

Connected to
Escape character is '^]'.

login: root

BusyBox v0.61.pre (2004.06.18-02:49+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS set 1460

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP icmp -- anywhere anywhere icmp destination-unreachable
DROP       icmp --  anywhere             anywhere           state INVALID

Normally I log in and drop them all but sometimes after a reboot I forget and the mini-firewall remains in place while I'm trying to solve this networking problem. Is there a test I can put in place to test that I remembered to disable this mini-firewall?


Reply to: