[Solved] Re: Debian gateway problem
On Fri, 27 Dec 2013 10:15:04 +0100
Nemeth Gyorgy <friczy@freemail.hu> wrote:
> 2013-12-26 06:27 keltezéssel, mett írta:
> > Hi,
> >
> > I'm using a debian box as a router and multiserver between my LAN
> > and the internet.
(cut)
> > It seems(according to tcpdump on both interface) that replies from
> > some sites get lost or get an ICMP destination unreachable from the
> > gateway somehow.
>
> For me it seems a PMTU problem. Insert the following line in the
> proper place:
> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
> --clamp-mss-to-pmtu
>
Hi and HNY everybody!
Just a final update on this thread.
I end up with the script below working perfectly,
except if I use both following rules at the beginning of the script.
---------------------------
iptables -t nat -F
iptables -t mangle -F
---------------------------
I don't fully understand why but I'll investigate that later.
script:
------------------------------------------------------
#!/bin/sh
PATH=/usr/sbin:/sbin:/bin:/usr/bin
#
# delete all existing rules.
#
iptables -F
iptables -X
## nat/POSTROUTING
# Masquerade <=> Changed to SNAT(seemed wiser in my situation after
#reading doc...).
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j SNAT
--to-source EXT.FIX.IP.ADD
## filter/FORWARD
# Allow New outgoing connections from the LAN side.
iptables -t filter -A FORWARD -i eth0 -o ppp0 -m state --state NEW -j
ACCEPT
# Allow Established outgoing connections from the LAN side.
iptables -t filter -A FORWARD -i eth0 -o ppp0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
# Allow forwarding of established connection from WAN side.
iptables -t filter -A FORWARD -i ppp0 -o eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
# Don't forward from the outside to the inside (icmp Port_U).
iptables -t filter -A FORWARD -i ppp0 -o eth0 -j REJECT
## filter/INPUT
# Always accept loopback traffic
iptables -t filter -A INPUT -i lo -j ACCEPT
#log udp port 5060
iptables -t filter -A INPUT -i ppp0 -p udp --dport 5060 -j LOG
--log-level debug
#asterisk
iptables -t filter -A INPUT -i ppp0 -p udp --dport 5060 -j ACCEPT
#tor
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 9001 -j ACCEPT
#postfix
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 25 -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 587 -j ACCEPT
#dovecot
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 110 -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 995 -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 143 -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 993 -j ACCEPT
#apache
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 443 -j ACCEPT
#maradns
iptables -t filter -A INPUT -i ppp0 -p udp --dport 53 -j ACCEPT
#vsftp
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 21 -j ACCEPT
iptables -t filter -A INPUT -i ppp0 -p tcp --dport 50000:50010 -j ACCEPT
# Allow established connections
iptables -t filter -A INPUT -i ppp0 -m state --state
ESTABLISHED,RELATED -j ACCEPT iptables -t filter -A INPUT -i eth0 -m
state --state ESTABLISHED,RELATED -j ACCEPT
# Proto_U everything else on outside interface (-input ppp0)
iptables -t filter -A INPUT -i ppp0 -j REJECT --reject-with
icmp-proto-unreachable
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
------------------------------------------------------
Thanks a lot for all the comments.
Reply to: