Clients not working properly with NAT

bratch · 07-29-2007, 07:45 AM

Hi all

I use this script for NAT:

Code:

# Enable kernel IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Clear previous iptables
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

# Set up iptables forwarding
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT

I previously used this with a USB ADSL modem, but it was a very dodgy and dropped a lot, so I switched to a PPPoE ethernet modem (a Draytek Vigor 100).

To connect here I use this /etc/conf.d/net, and then connect with /etc/init.d/net.ppp0 start:

Code:

modules=( "ifconfig" )

config_eth0=( "192.168.0.2 netmask 255.255.255.0" )

config_eth1=("null")

config_ppp0=("ppp")
link_ppp0="eth1"
plugins_ppp0=("pppoe")
username_ppp0='username'
password_ppp0='password'
pppd_ppp0=("defaultroute" "usepeerdns")

eth0 is the LAN interface, eth1 is the interface connected to the modem.

This connects fine, and works absolutely fine on the machine that is connected to the modem.

However the machines connecting through it (the machines on the network) only have limited network access:

They can only browse a small number of sites, most sites will just time out. Ones that work include google.com, morse.com, cstim.com and oracle.com. They can ping anything fine, even the sites that don't work. Connecting to various IRC servers for instance irc.quakenet.org will start to connect, but simply stop half way through the MOTD.

Does anybody have any idea? I've run out of ideas here.

Thanks very much.

bratch · 07-29-2007, 01:53 PM

I've found the fix here:

http://forums.gentoo.org/viewtopic-t...ighlight-.html

Quote:

Originally Posted by Hu

This sounds like a case of MTU problems. From the iptables manpage:

Code:

   TCPMSS
       This target allows to alter the MSS value of TCP SYN packets,  to  con-
       trol  the maximum size for that connection (usually limiting it to your
       outgoing interface's MTU minus 40).  Of course, it can only be used  in
       conjunction with -p tcp.  It is only valid in the mangle table.
       This  target  is  used to overcome criminally braindead ISPs or servers
       which block ICMP Fragmentation Needed packets.  The  symptoms  of  this
       problem are that everything works fine from your Linux firewall/router,
       but machines behind it can never exchange large packets:
        1) Web browsers connect, then hang with no data received.
        2) Small mail works fine, but large emails hang.
        3) ssh works fine, but scp hangs after initial handshaking.
       Workaround: activate this option and add a rule to your  firewall  con-
       figuration like:
        iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
                    -j TCPMSS --clamp-mss-to-pmtu

       --set-mss value
              Explicitly set MSS option to specified value.

       --clamp-mss-to-pmtu
              Automatically clamp MSS value to (path_MTU - 40).

       These options are mutually exclusive.

Add such a rule to your Gentoo machine and see if that helps.