Ok now I'm going to have to get technical..
The MTU should be 1500 for most devices as the router that's talking to your DSL will have this setting.
Other MTU's would be:
65535 = Hyperchannel
17914 = 16 Mbit/sec token ring
8166 = Token Bus (IEEE 802.4)
4464 = 4 Mbit/sec token ring (IEEE 802.5)
1500 = Ethernet
1500 = PPP (typical; can vary widely)
576 = X.25 Networks
The problem is cause because your MTU is lower then 1500, So when TCP packets go out of your DSL the MSS "maximum segment size" is announced when establishment of a new TCP connection is made, so the responding server turns the DF bit off so the routers can fragment to your allowed MTU size.
The main problems you have is that the MTU is set to 1412.
And your ipchains script probably has denied all ICMP responses out.
If a ICMP can't fragment error "type 3 code 4 " cannot get back to the source host due to the filter, the host will never know that the packets it is sending are too large.
This means it will keep trying to send the same large packet, and it will keep being dropped--silently dropped from the view of any system on the other side of the filter.
I would change the MTU to 1500 and allow the correct ICMP messages to get back to the source, ICMP messages are an important part of a healthy network, only drop the following type of ICMP messages on a firewall.
Allow out of network:
required-option-missing
parameter-problem
ip-header-bad
TOS-host-unreachable
source-route-failed
network-unknown
echo-reply
timestamp-reply
address-mask-reply
fragmentation-needed
Don't Allow out of network:
time-exceeded
destination-unreachable
network-unreachable
host-unreachable
protocol-unreachable
port-unreachable
host-unknown
network-prohibited
host-prohibited
TOS-network-unreachable
communication-prohibited
host-precedence-violation
precedence-cutoff
source-quench
redirect
network-redirect
host-redirect
TOS-network-redirect
TOS-host-redirect
echo-request
router-advertisement
router-solicitation
ttl-zero-during-transit
ttl-zero-during-reassembly
timestamp-request
address-mask-request
/Raz