LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-20-2005, 05:26 PM   #1
mikey79
LQ Newbie
 
Registered: Aug 2004
Posts: 3

Rep: Reputation: 0
pls help: debian router => some websites won't load (though pinging works)


hey folks, i really hope you can help me out with my problem here.

i used to have a dlink hardware router and now switched to a debian software router. i use one desktop pc behind the router to connect the internet.

i set everything up (dhcp, networking, iptables) and everything seems to be working so far, however, on some websites loading takes an inifite amount of time. however, if i plug in my dlink router again, the websites load pretty fast and if i connect reconnect my desktop to the debian machine again, the websites still work (even if i surf on those websites). however: if i reboot my machines and try this thingie again: no websites any more. only if i resplug my desktop to the dlink router and start over again. i think this has to be some caching issues....i dont know. i am not really into networking :-(

so here's the deal....

the website i am talking about is www_quoka_de
i can ping it (even if i cannot load the website):

Code:
Pinging www_quoka_de [217.237.190.136] with 32 bytes of data:

Reply from 217.237.190.136: bytes=32 time=11ms TTL=119
Reply from 217.237.190.136: bytes=32 time=10ms TTL=119
Reply from 217.237.190.136: bytes=32 time=11ms TTL=119
Reply from 217.237.190.136: bytes=32 time=13ms TTL=119

Ping statistics for 217.237.190.136:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 10ms, Maximum = 13ms, Average = 11ms
if i do a tracert i get this (and i get exact the same with my dlink router!):


Tracing route to www_quoka_de [217.237.190.136]
over a maximum of 30 hops:

Code:
  1    <1 ms    <1 ms    <1 ms  192.168.0.1
  2     5 ms     5 ms     5 ms  bsn2.fra.qsc.de [213.148.128.56]
  3     6 ms     6 ms     6 ms  core2.fra.qsc.de [213.148.139.177]
  4     6 ms     6 ms     6 ms  62.156.139.121
  5     9 ms     8 ms     9 ms  ma-ag4.MA.DE.net.DTAG.DE [62.154.37.178]
  6     9 ms     9 ms     9 ms  052058-1-1-gw.MA.DE.net.DTAG.DE [62.154.39.77]
  7    20 ms     *       10 ms  217.237.191.36
  8     *        *        *     Request timed out.
  9    11 ms    16 ms    11 ms  217.237.190.136
it seems the connection is broken somehow outside....but i get the very same with my dlink router and the website is loading there! and i can ping it anyway...... :-(

my setup is as follows:

desktop -> router (eth0) ....... router (eth1) -> dsl-model ->internet

if you need my iptables script, here it is:

Code:
		IPTABLES=`which iptables` # pfad zu iptables
		DEV_EXT=ppp0 # externes interface
		DEV_INT=eth0 # internes interface
		p_high=1024:65535
		
		echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter
		echo "0" > /proc/sys/net/ipv4/conf/eth0/rp_filter
		echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
		# echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
		# echo "0" > /proc/sys/net/ipv4/conf/all/bootp_relay
		echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
		
		# löschen aller alten evtl noch vorhandenen rules
		$IPTABLES -F
		$IPTABLES -t nat -F
		$IPTABLES -X
		
		# default-policies festlegen
		$IPTABLES -P INPUT DROP
		$IPTABLES -P FORWARD DROP
		$IPTABLES -P OUTPUT DROP
		
		# laden der module für iptables-connection-tracking
		modprobe ip_tables
		modprobe ip_conntrack
		modprobe ip_conntrack_ftp
		modprobe ip_nat_ftp
		modprobe ip_conntrack_irc
		modprobe ip_nat_irc
		
		# logging
		$IPTABLES -A FORWARD -j LOG --log-prefix "BEFORE: "
		#$IPTABLES -A OUTPUT -j LOG
		#$IPTABLES -A INPUT -j LOG
		
		# open loopback
		$IPTABLES -A OUTPUT -o lo -j ACCEPT
		$IPTABLES -A INPUT -i lo -j ACCEPT
		
		# enable masquerading
		$IPTABLES -t nat -A POSTROUTING -o $DEV_EXT -j MASQUERADE
		
		# set ip forwarding
		echo 1  > /proc/sys/net/ipv4/ip_forward
		
		#-----------------------------------------------------------------------------
		
		######################################################
		# ssh 
		######################################################
		
		$IPTABLES -A INPUT -i $DEV_INT -p TCP --dport ssh -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
		$IPTABLES -A OUTPUT -o $DEV_INT -p TCP --sport ssh -m state --state ESTABLISHED,RELATED -j ACCEPT
		
		#####################################################
		# dns
		#####################################################
		
		$IPTABLES -A FORWARD -o $DEV_EXT -m state --state NEW,ESTABLISHED,RELATED -p UDP --dport domain -j ACCEPT
		$IPTABLES -A FORWARD -o $DEV_EXT -m state --state NEW,ESTABLISHED,RELATED -p TCP --dport domain -j ACCEPT
		
		$IPTABLES -A FORWARD -i $DEV_EXT -m state --state ESTABLISHED,RELATED -p UDP --sport domain -j ACCEPT
		$IPTABLES -A FORWARD -i $DEV_EXT -m state --state ESTABLISHED,RELATED -p TCP --sport domain -j ACCEPT
		
		$IPTABLES -A OUTPUT -o $DEV_EXT -m state --state NEW,ESTABLISHED,RELATED -p UDP --dport domain -j ACCEPT
		$IPTABLES -A OUTPUT -o $DEV_EXT -m state --state NEW,ESTABLISHED,RELATED -p TCP --dport domain -j ACCEPT
		
		$IPTABLES -A INPUT -i $DEV_EXT -m state --state ESTABLISHED,RELATED -p UDP --sport domain -j ACCEPT
		$IPTABLES -A INPUT -i $DEV_EXT -m state --state ESTABLISHED,RELATED -p TCP --sport domain -j ACCEPT
		
		#####################################################
		# http
		#####################################################
		
		$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_EXT -m state --state NEW,ESTABLISHED,RELATED -p TCP --dport 80 -j ACCEPT
		$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_EXT -m state --state NEW,ESTABLISHED,RELATED -p UDP --dport 80 -j ACCEPT
		
		$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT -m state --state ESTABLISHED,RELATED -p TCP --sport 80 -j ACCEPT
		$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT -m state --state ESTABLISHED,RELATED -p UDP --sport 80 -j ACCEPT
		
		$IPTABLES -A OUTPUT -o $DEV_EXT -m state --state NEW,ESTABLISHED,RELATED -p UDP --dport 80 -j ACCEPT
		$IPTABLES -A OUTPUT -o $DEV_EXT -m state --state NEW,ESTABLISHED,RELATED -p TCP --dport 80 -j ACCEPT
		
		$IPTABLES -A INPUT -i $DEV_EXT -m state --state ESTABLISHED,RELATED -p UDP --sport 80 -j ACCEPT
		$IPTABLES -A INPUT -i $DEV_EXT -m state --state ESTABLISHED,RELATED -p TCP --sport 80 -j ACCEPT
		
		#####################################################
		# http ssl
		#####################################################
		
		$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_EXT -m state --state NEW,ESTABLISHED,RELATED -p TCP --dport 443 -j ACCEPT
		$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_EXT -m state --state NEW,ESTABLISHED,RELATED -p UDP --dport 443 -j ACCEPT
		
		$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT -m state --state ESTABLISHED,RELATED -p TCP --sport 443 -j ACCEPT
		$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT -m state --state ESTABLISHED,RELATED -p UDP --sport 443 -j ACCEPT
		
		$IPTABLES -A OUTPUT -o $DEV_EXT -m state --state NEW,ESTABLISHED,RELATED -p UDP --dport 443 -j ACCEPT
		$IPTABLES -A OUTPUT -o $DEV_EXT -m state --state NEW,ESTABLISHED,RELATED -p TCP --dport 443 -j ACCEPT
		
		$IPTABLES -A INPUT -i $DEV_EXT -m state --state ESTABLISHED,RELATED -p UDP --sport 443 -j ACCEPT
		$IPTABLES -A INPUT -i $DEV_EXT -m state --state ESTABLISHED,RELATED -p TCP --sport 443 -j ACCEPT
		
		#####################################################
		# samba
		#####################################################
		
		$IPTABLES -A INPUT -i $DEV_INT -s 192.168.0.0/24 -p TCP --dport 137 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
		$IPTABLES -A INPUT -i $DEV_INT -s 192.168.0.0/24 -p TCP --dport 138 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
		$IPTABLES -A INPUT -i $DEV_INT -s 192.168.0.0/24 -p TCP --dport 139 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
		
		$IPTABLES -A OUTPUT -o $DEV_INT -d 192.168.0.0/24 -p TCP --sport 137 -m state --state ESTABLISHED,RELATED -j ACCEPT
		$IPTABLES -A OUTPUT -o $DEV_INT -d 192.168.0.0/24 -p TCP --sport 138 -m state --state ESTABLISHED,RELATED -j ACCEPT
		$IPTABLES -A OUTPUT -o $DEV_INT -d 192.168.0.0/24 -p TCP --sport 139 -m state --state ESTABLISHED,RELATED -j ACCEPT
		
		$IPTABLES -A INPUT -i $DEV_INT -s 192.168.0.0/24 -p UDP --dport 137 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
		$IPTABLES -A INPUT -i $DEV_INT -s 192.168.0.0/24 -p UDP --dport 138 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
		$IPTABLES -A INPUT -i $DEV_INT -s 192.168.0.0/24 -p UDP --dport 139 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
		
		$IPTABLES -A OUTPUT -o $DEV_INT -d 192.168.0.0/24 -p UDP --sport 137 -m state --state ESTABLISHED,RELATED -j ACCEPT
		$IPTABLES -A OUTPUT -o $DEV_INT -d 192.168.0.0/24 -p UDP --sport 138 -m state --state ESTABLISHED,RELATED -j ACCEPT
		$IPTABLES -A OUTPUT -o $DEV_INT -d 192.168.0.0/24 -p UDP --sport 139 -m state --state ESTABLISHED,RELATED -j ACCEPT
		
		#####################################################
		# icmp
		#####################################################
		
		# type 0 echo-reply (ping)
		$IPTABLES -A INPUT -p icmp --icmp-type 0 -s 0/0 -d 0/0 -j ACCEPT
		$IPTABLES -A OUTPUT -p icmp --icmp-type 0 -s 0/0 -d 0/0 -j ACCEPT
		$IPTABLES -A FORWARD -p icmp --icmp-type 0 -s 0/0 -d 0/0 -j ACCEPT
		
		# type 3 destination-unreachable (port-unreachable, fragmentation-needed
		$IPTABLES -A INPUT -p icmp --icmp-type 3 -s 0/0 -d 0/0 -j ACCEPT
		$IPTABLES -A OUTPUT -p icmp --icmp-type 3 -s 0/0 -d 0/0 -j ACCEPT
		$IPTABLES -A FORWARD -p icmp --icmp-type 3 -s 0/0 -d 0/0 -j ACCEPT
		
		# type 8 echo request
		$IPTABLES -A INPUT -p icmp --icmp-type 8 -s 0/0 -d 0/0 -j ACCEPT
		$IPTABLES -A OUTPUT -p icmp --icmp-type 8 -s 0/0 -d 0/0 -j ACCEPT
		$IPTABLES -A FORWARD -p icmp --icmp-type 8 -s 0/0 -d 0/0 -j ACCEPT
		
		#type 11 time exceeded
		$IPTABLES -A INPUT -p icmp --icmp-type 11 -s 0/0 -d 0/0 -j ACCEPT
		$IPTABLES -A OUTPUT -p icmp --icmp-type 11 -s 0/0 -d 0/0 -j ACCEPT
		$IPTABLES -A FORWARD -p icmp --icmp-type 11 -s 0/0 -d 0/0 -j ACCEPT
		
		#type 13 timestamp request
		$IPTABLES -A INPUT -p icmp --icmp-type 13 -s 0/0 -d 0/0 -j ACCEPT
		$IPTABLES -A OUTPUT -p icmp --icmp-type 13 -s 0/0 -d 0/0 -j ACCEPT
		$IPTABLES -A FORWARD -p icmp --icmp-type 13 -s 0/0 -d 0/0 -j ACCEPT
		
		#type 14 timestamp reply
		$IPTABLES -A INPUT -p icmp --icmp-type 14 -s 0/0 -d 0/0 -j ACCEPT
		$IPTABLES -A OUTPUT -p icmp --icmp-type 14 -s 0/0 -d 0/0 -j ACCEPT
		$IPTABLES -A FORWARD -p icmp --icmp-type 14 -s 0/0 -d 0/0 -j ACCEPT
		
		#####################################################
		# imap
		#####################################################
		
		$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_EXT -p TCP --dport 143 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
		$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT -p TCP --sport 143 -m state --state ESTABLISHED,RELATED -j ACCEPT
		
		#####################################################
		# imap ssl
		#####################################################
		
		$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_EXT -p TCP --dport 993 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
		$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT -p TCP --sport 993 -m state --state ESTABLISHED,RELATED -j ACCEPT
		
		#####################################################
		# smtp
		#####################################################
		
		$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_EXT -p TCP --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
		$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT -p TCP --sport 25 -m state --state ESTABLISHED,RELATED -j ACCEPT
		
		#####################################################
		# smtp ssl
		#####################################################
		
		$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_EXT -p TCP --dport 465 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
		$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT -p TCP --sport 465 -m state --state ESTABLISHED,RELATED -j ACCEPT
		
		#####################################################
		# pop3
		#####################################################
		
		$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_EXT -p TCP --dport 110 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
		$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT -p TCP --sport 110 -m state --state ESTABLISHED,RELATED -j ACCEPT
		
		#####################################################
		# pop3 ssl
		#####################################################
		
		$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_EXT -p TCP --dport 995 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
		$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT -p TCP --sport 995 -m state --state ESTABLISHED,RELATED -j ACCEPT
		
		#####################################################
		# usenet
		#####################################################
		
		$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_EXT -p TCP --dport 119 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
		$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT -p TCP --sport 119 -m state --state ESTABLISHED,RELATED -j ACCEPT

			
		#-----------------------------------------------------------------------------
		
		# logging
		#$IPTABLES -A OUTPUT -j LOG
		#$IPTABLES -A INPUT -j LOG
		$IPTABLES -A FORWARD -j LOG --log-prefix "AFTER: "

my kernel version is (telling from cat /proc/version):

[CODE ]
Linux version 2.4.27-2-386
[/CODE]

so, anybody has any ideas please? i don't know what to do to be honest......

any help is much appreciated!
thx
 
Old 08-21-2005, 05:39 AM   #2
mikey79
LQ Newbie
 
Registered: Aug 2004
Posts: 3

Original Poster
Rep: Reputation: 0
ok, solved the problem: my mtu size was too large. the following entry in my iptables script solves this:

Code:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 
Old 07-15-2006, 12:12 AM   #3
mallard
LQ Newbie
 
Registered: Jul 2006
Posts: 7

Rep: Reputation: 0
Red face

I am having the same problem accessing myspace dot com. All other websites I've tried work from my clients. MySpace works fine from the router itself (a Debian box using iptables managed my ipmasq).

I have external adapter (eth0) MTU set to 1500 and internal adapter (eth1) set to 1492. Searching the net led me to believe MySpace is rejecting special ICMP packets that I'm sending them to request the packet be fragmented to fit. But I'm not quite sure what to do about it. (Read: I'm not sure how to explain to my wife why its not my problem.) The solution in the post from 08-21-05 05:39 AM did not help me. I tried telnetting to 80 on myspace dot com...connection was accepted, but my GET request went unanswered, not even a hint of response. On other websites, I get responses back.

I don't want to change MTUs on my client machines, I want to fix the problem on the router. I also don't want to deploy a proxy server to work around this.
 
Old 07-15-2006, 12:23 PM   #4
mallard
LQ Newbie
 
Registered: Jul 2006
Posts: 7

Rep: Reputation: 0
I'm finding more websites that don't work, including anywho.com. I wish I could leave my eth1 MTU at 1500 and still have forwarding work.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables - cannot load certain websites Booster Linux - Networking 3 01-31-2006 11:52 PM
why dont [some] websites load? (slack) nadroj Linux - Newbie 3 06-03-2005 02:52 AM
wireless card pinging external to Linksys router? JonesUMD Linux - Wireless Networking 0 12-27-2004 03:12 AM
Wireless talks to the router but does not connect to websites ksgill Linux - Newbie 5 10-29-2004 04:28 AM
my network works but i can't get websites online karel Linux - Networking 8 10-20-2002 05:28 AM


All times are GMT -5. The time now is 10:19 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration