LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 07-29-2007, 07:45 AM   #1
bratch
Member
 
Registered: Nov 2004
Location: Jersey, British Isles
Distribution: Gentoo
Posts: 44

Rep: Reputation: 15
Clients not working properly with NAT


Hi all

I use this script for NAT:

Code:
# Enable kernel IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Clear previous iptables
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

# Set up iptables forwarding
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT
I previously used this with a USB ADSL modem, but it was a very dodgy and dropped a lot, so I switched to a PPPoE ethernet modem (a Draytek Vigor 100).

To connect here I use this /etc/conf.d/net, and then connect with /etc/init.d/net.ppp0 start:

Code:
modules=( "ifconfig" )

config_eth0=( "192.168.0.2 netmask 255.255.255.0" )

config_eth1=("null")

config_ppp0=("ppp")
link_ppp0="eth1"
plugins_ppp0=("pppoe")
username_ppp0='username'
password_ppp0='password'
pppd_ppp0=("defaultroute" "usepeerdns")
eth0 is the LAN interface, eth1 is the interface connected to the modem.

This connects fine, and works absolutely fine on the machine that is connected to the modem.

However the machines connecting through it (the machines on the network) only have limited network access:

They can only browse a small number of sites, most sites will just time out. Ones that work include google.com, morse.com, cstim.com and oracle.com. They can ping anything fine, even the sites that don't work. Connecting to various IRC servers for instance irc.quakenet.org will start to connect, but simply stop half way through the MOTD.

Does anybody have any idea? I've run out of ideas here.

Thanks very much.
 
Old 07-29-2007, 01:53 PM   #2
bratch
Member
 
Registered: Nov 2004
Location: Jersey, British Isles
Distribution: Gentoo
Posts: 44

Original Poster
Rep: Reputation: 15
I've found the fix here:

http://forums.gentoo.org/viewtopic-t...ighlight-.html

Quote:
Originally Posted by Hu
This sounds like a case of MTU problems. From the iptables manpage:
Code:
   TCPMSS
       This target allows to alter the MSS value of TCP SYN packets,  to  con-
       trol  the maximum size for that connection (usually limiting it to your
       outgoing interface's MTU minus 40).  Of course, it can only be used  in
       conjunction with -p tcp.  It is only valid in the mangle table.
       This  target  is  used to overcome criminally braindead ISPs or servers
       which block ICMP Fragmentation Needed packets.  The  symptoms  of  this
       problem are that everything works fine from your Linux firewall/router,
       but machines behind it can never exchange large packets:
        1) Web browsers connect, then hang with no data received.
        2) Small mail works fine, but large emails hang.
        3) ssh works fine, but scp hangs after initial handshaking.
       Workaround: activate this option and add a rule to your  firewall  con-
       figuration like:
        iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
                    -j TCPMSS --clamp-mss-to-pmtu

       --set-mss value
              Explicitly set MSS option to specified value.

       --clamp-mss-to-pmtu
              Automatically clamp MSS value to (path_MTU - 40).

       These options are mutually exclusive.
Add such a rule to your Gentoo machine and see if that helps.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
pptp multiple clients behind iptables nat saf Linux - Networking 4 08-06-2012 02:43 PM
multiple ipsec vpn clients behind nat egarnel Linux - Networking 1 12-30-2005 05:18 PM
X not working properly. MylesCLin Linux - Software 1 09-15-2004 10:46 AM
nat not working! the_y_man Linux - Networking 4 03-13-2004 12:41 AM
blocking some port for NAT clients freelinuxcpp Linux - Networking 2 02-14-2004 05:06 AM


All times are GMT -5. The time now is 04:31 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration