strange nat problem
Hi, I had a nat box running debian woody (2.4.19 kernel).
Everything was working great, but i upgraded to sarge and installed a 220.127.116.11 kernel, and this issue came up:
in the nat clients, some web pages work and others don't, while in the nat box everything works fine.
For example google works great, but hotmail doesn't (and it does work in the nat box). An ethereal run shows that it does some talking (it sends and receives packets containing html headers) and then starts waiting for something that never comes. hotmail is just an example, there are some other web pages not requiring authentication that doesn't work either.
I'm using the same configuration i used in woody, only the programs versions changed. I have a lot of iptables rules plus some traffic shaping commands (with tc), but the problem persist even using this minimal set of rules and no Traffic Control:
:PREROUTING ACCEPT [22307:4559231]
:INPUT ACCEPT [16590:2976594]
:FORWARD ACCEPT [5364:1548354]
:OUTPUT ACCEPT [16414:1661497]
:POSTROUTING ACCEPT [21770:3197851]
:INPUT ACCEPT [14850:2866366]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [14907:1537177]
-A FORWARD -j ACCEPT
:PREROUTING ACCEPT [10490:589933]
:POSTROUTING ACCEPT [401:24152]
:OUTPUT ACCEPT [402:24212]
-A POSTROUTING -s 10.10.10.0/255.255.255.0 -j MASQUERADE
I find it very strange that some things work and some things doesn't, and i have no clue what the problem could be, i don't even know if it is an iptables-related issue, so any help pointing me to the right direction will be appreciated.
it might not have anything to do with your firewall. maybe it's an MTU or IP flag option that causing problems. Did you compile this kernel yourself? If so, rember setting up any IP options (like ECN for instance) which might cause this sort of problem?
I did compile the kernel, but i used the same options i was using on the old kernel, orat least that's what i think, it was a big kernel change and maybe i missed some new options.
Anyway, the only packets affected are those that get masqueraded, if it were that kind of problem wouldn't the nat box have trouble also?.
Re: strange nat problem
|All times are GMT -5. The time now is 11:19 PM.|