Go Job Hunting at the LQ Job Marketplace
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


LinkBack Search this Thread
Old 12-13-2005, 06:43 PM   #1
LQ Newbie
Registered: Aug 2003
Posts: 23

Rep: Reputation: 15
please help: strange problem with NAT???

hi all.
i've just newly set up my debian(2.4.27-2-386) box with NAT and possibly some minor firewall rule.
and now i'm up to a point where everything seems to work fine, except certain website.
e.g and lots more and can't sign in msn.
***please note, i can ping them, but i just can't browse them using my internet browser. even try with firefox
some other site like and this one, all seems to work fine.

here is my


#set variable to interface
EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"

#loading required stateful /NAT kernel moduels
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp

#enable ip forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#Flush any rules that may still be configured
/sbin/iptables -t filter -F INPUT
/sbin/iptables -t filter -F OUTPUT
/sbin/iptables -t filter -F FORWARD
/sbin/iptables -t nat -F PREROUTING
/sbin/iptables -t nat -F POSTROUTING
/sbin/iptables -t nat -F OUTPUT

# Set the default policies for the chains
/sbin/iptables -t filter -P INPUT DROP
/sbin/iptables -t filter -P OUTPUT ACCEPT
/sbin/iptables -t filter -P FORWARD DROP
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT

# Set up the firewall rules
/sbin/iptables -t filter -A INPUT -i $LOOPBACK -j ACCEPT
/sbin/iptables -t filter -A INPUT -i $LAN -j ACCEPT
/sbin/iptables -t filter -A INPUT -i $WAN -m state --state RELATED,ESTABLISHED -j ACCEPT

#forward certain ports
/sbin/iptables -t filter -A INPUT -p TCP -m state --state NEW -m tcp --dport 22 -j ACCEPT

/sbin/iptables -t filter -A INPUT -p TCP -m state --state NEW -m tcp --dport 6881:6889 -j ACCEPT

#dameware remote control
/sbin/iptables -t filter -A INPUT -p TCP -m state --state NEW -m tcp --dport 6129 -j ACCEPT

#ftp port
/sbin/iptables -t filter -A INPUT -p TCP -m state --state NEW -m tcp --dport 20:21 -j ACCEPT

# Set up the ip forwarding
/sbin/iptables -t filter -A FORWARD -i $LAN -o $WAN -j ACCEPT
/sbin/iptables -t filter -A FORWARD -i $WAN -o $LAN state --state RELATED,ESTABLISHED -j ACCEPT

# Set up ip masquerading
/sbin/iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

i even try to modify the default policy to
# Set the default policies for the chains
/sbin/iptables -t filter -P INPUT ACCEPT
/sbin/iptables -t filter -P OUTPUT ACCEPT
/sbin/iptables -t filter -P FORWARD ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT

still don't work.

when i try using window's ppp0e to connect to internet. everything works fine. which means it's not the model's problem.

so any help or input would be greatly appreciated. and thanx for reading this long post

here is the routing table.
destination gateway genmask flags iface
nexthop.nsw.iin * UH ppp0 * U eth0
default nexthop.nsw.iin UG ppp0
Old 12-14-2005, 01:03 PM   #2
Senior Member
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86; Gentoo PPC; Gentoo Sparc64; FreeBSD; OS X; Solaris
Posts: 3,731
Blog Entries: 4

Rep: Reputation: 64
i even try to modify the default policy to
# Set the default policies for the chains
/sbin/iptables -t filter -P INPUT ACCEPT
/sbin/iptables -t filter -P OUTPUT ACCEPT
/sbin/iptables -t filter -P FORWARD ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
You realize you have rendered your firewall completely useless with those rules right? With these default policies, all packets will be accepted.

In any event, your rules look fine, a I doubt very much if the firwall is the cause of your problem, as you said yourself you can ping theses sites. I would look elsewhere for the cause of your problems.
Old 12-16-2005, 05:32 AM   #3
LQ Newbie
Registered: Aug 2003
Posts: 23

Original Poster
Rep: Reputation: 15
thanx for your respond bulliver.
and yes, i definitely know that by changing my default policy to accept will render my firewall useless, but i just need to try it. that's all.

So now i know what's cause this problem.
the problem can be solved only when i connect to internet manually by running "pon dsl-provider"

by running it manually, i notice it will create these special rule in forwarding chain.
iptables -L

Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS TCP -- anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU
so this rule looks like, it will clamp the MTU to the right size. otherwise wouldn't let me access it.

so does anyone know how to add it in my firewall rule??? what's the syntex???

or at least show me how to disable their default startup script, so that i can just add this "pon dsl-provider" line just before i run my firewall script.

thanx you for any reply
Old 12-16-2005, 05:37 AM   #4
Registered: Feb 2004
Location: Kathmandu
Distribution: Redhat/fedora/Suse [Wanna Drive With Debian]
Posts: 208

Rep: Reputation: 30
did you check ur DNS address.Are they set ?


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
strange nat problem KennyNotDead Linux - Networking 3 05-11-2005 12:21 PM
strange, strange alsa problem: sound is grainy/pixellated? fenderman11111 Linux - Software 1 11-01-2004 05:16 PM
iptables - strange behaviour of nat?? shacky Linux - Networking 2 10-17-2004 10:44 AM
Susefirewall2 Nat Problem / nat 1:1 trubi Linux - Distributions 0 07-20-2004 05:50 AM
What's the difference between Linux-NAT and Sygate-NAT? yuzuohong Linux - Networking 0 08-07-2002 04:07 AM

All times are GMT -5. The time now is 01:25 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration