Re: Debian gateway problem
2013-12-26 06:27 keltezéssel, mett írta:
> Hi,
>
> I'm using a debian box as a router and multiserver between my LAN and
> the internet.
>
> Everything was working fine till yesterday when I put the box down for
> upgrading memory, for a few hours.
>
> Right now, the external interface of the gateway is fully accessible
> from the net, and I do not have any problem with the different services
> I am providing to the outside(mail, webserver. and dns for the web
> servers).
>
> The problem is on the LAN side, I can access some sites but not all the
> sites as I used to do.
>
> For example, I can access the "Start page" search engine but not
> "Duckduckgo".
>
> The gateway can access everything, it's the hosts behind the gateway
> that cannot.
>
>
> I have 2 interfaces on this box:
> eth0 which is used as the LAN interface and
> eth1 which is used as ppp0 with a static IP from my ISP.
>
> -------------------------------------------------------------------
> /etc/sysctl.conf has the forwarding rule for ipv4
> net.ipv4.ip_forward=1
> net.ipv4.conf.default.forwarding=1 (maybe useless but I'm kind of
> trying everything)
> net.ipv4.conf.all.forwarding=1 (maybe useless but I'm kind of
> trying everything)
> -------------------------------------------------------------------
> cat cat /proc/sys/net/ipv4/ip_forward
> 1
> -------------------------------------------------------------------
> Iptables rules are as follows
> # delete all existing rules.
> #
> iptables -F
> iptables -t nat -F
> iptables -t mangle -F
> iptables -X
>
> # Always accept loopback traffic
> iptables -A INPUT -i lo -j ACCEPT
>
>
> #log udp port 5060
> iptables -A INPUT -i ppp0 -p udp --dport 5060 -j LOG --log-level debug
>
> #asterisk
> iptables -A INPUT -i ppp0 -p udp --dport 5060 -j ACCEPT
>
>
> #tor
> iptables -A INPUT -i ppp0 -p tcp --dport 9001 -j ACCEPT
>
> #postfix
> iptables -A INPUT -i ppp0 -p tcp --dport 25 -j ACCEPT
> iptables -A INPUT -i ppp0 -p tcp --dport 587 -j ACCEPT
>
> #dovecot
> iptables -A INPUT -i ppp0 -p tcp --dport 110 -j ACCEPT
> iptables -A INPUT -i ppp0 -p tcp --dport 995 -j ACCEPT
> iptables -A INPUT -i ppp0 -p tcp --dport 143 -j ACCEPT
> iptables -A INPUT -i ppp0 -p tcp --dport 993 -j ACCEPT
>
> #apache
> iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT
> iptables -A INPUT -i ppp0 -p tcp --dport 443 -j ACCEPT
>
> #maradns
> iptables -A INPUT -i ppp0 -p udp --dport 53 -j ACCEPT
>
>
> # Allow established connections, and those not coming from the outside
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
> iptables -A FORWARD -i ppp0 -o eth0 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
>
> # Allow outgoing connections from the LAN side.
> iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
>
> # Masquerade.
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>
> # Don't forward from the outside to the inside.
> iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT
>
>
>
> # Enable routing.
> echo 1 > /proc/sys/net/ipv4/ip_forward
> ------------------------------------------------------------------------
>
> I am totally at loss and was wondering if somebody has an idea about
> where the problem might be coming from.
>
> It seems(according to tcpdump on both interface) that replies from some
> sites get lost or get an ICMP destination unreachable from the
> gateway somehow.
For me it seems a PMTU problem. Insert the following line in the proper
place:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
--
--- Friczy ---
'Death is not a bug, it's a feature'
Reply to: