Hi again, I'll post the solution here as I'm quite confident some will find it useful. In my searches for several things, I keep bumping into my own mails to this list. On Tue, 2012-06-05 at 21:48 +0200, Steven Post wrote: > Hello list, > > I have a small home network and using a Wheezy installation as the > gateway here. Since the gateway is running wheezy I'm experiencing > dropped (tcp) connections. > I observer this behaviour with both another Wheezy installation > (desktop) and with a Windows 7 machine. The problem didn't occur with > the old server (Etch). > > The network setup is quite simple, the gateway establishes a PPPoE > connection with my ISP as ppp0 (actual interface is eth1). Another > network card (eth0) has a static address on the LAN. > > The machine has a load of firewall rules for incoming and outgoing > connections, but the important ones here are the following: [... snip firewall script...] > > What I see is various websites that don't load (such as slashdot.org or > hotmail.com) and services such as msn, IRC still works fine. > > I did some research and it might have something to do with the MTU value > of the connection as explained here: > http://www.netheaven.com/pmtu.html > > I tested this by setting a lower MTU value on my local (desktop) > connection, this seemed to work, same for the server. However it doesn't > have much effect today. > > Does anyone have any idea on how to solve this? What changed between > Etch and wheezy with regard to MTU and/or packet fragmentation? > I'm not sure about the exact cause yet, but I have a fix/hack. I stumbled upon a similar problem at [1]. A solution points met to [2]. It might be a broken server or ISP in between, but adding this as the first rule before other forward rules fixes most of the problems: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu I still can't connect to msn using empathy, but it works again in Pidgin, also all sites I tried work again. [1] http://serverfault.com/questions/318350/tcp-sessions-hanging-with-debian-and-iptables [2] http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-4.html#ss4.7 Best regards, Steven
Attachment:
signature.asc
Description: This is a digitally signed message part