LinuxQuestions.org - Why PC behind debian gateway can't access some site?

- Debian (https://www.linuxquestions.org/questions/debian-26/)

- - Why PC behind debian gateway can't access some site? (https://www.linuxquestions.org/questions/debian-26/why-pc-behind-debian-gateway-cant-access-some-site-306304/)

Why PC behind debian gateway can't access some site?

I had a WinXP box connected to the internet and use Internet Connection Sharing to make it act as gateway to my home LAN. All was fine, but exposing Windows to the outer world didn't feel so right. Now I tried to set up a debian (sid) box as the gateway instead.

So, I apt-get install ipmasq, and instantly have my debian box usable as gateway! However, I discovered that the boxen behind the debian gateway can't access some website, while other website can be viewed just fine.

example: mail,yahoo,com login,yahoo,com www,msn,com www,microsoft,com gave timeout error. The rest of the world, like slashdot or google or other random sites, seem fine (including www,hotmail,com www,yahoo,com).

Also, windowsupdate gave error 80072EE2 after the screen "Windows Update is looking for available update" and sign in to msn messenger failed on those boxen.

On debian box, all the above is working fine (minus windowsupdate), though. Switching back to Windows gateway and everything works just fine again.

Could anyone give me an idea how to investigate this problem? I would appreciate this very much!
---
(I think) related packages' versions
kernel-image-2.6.8 (custom built)
ipmasq 4.0.1
iptables 1.2.11-8

The following is output from iptables -t nat -L

Quote:

Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- localnet/24 anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

output from iptables -t filter -L

Quote:

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LOG all -- 127.0.0.0/8 anywhere LOG level warning
DROP all -- 127.0.0.0/8 anywhere
ACCEPT all -- anywhere 255.255.255.255
ACCEPT all -- localnet/24 anywhere
ACCEPT !tcp -- anywhere BASE-ADDRESS.MCAST.NET/4
LOG all -- localnet/24 anywhere LOG level warning
DROP all -- localnet/24 anywhere
ACCEPT all -- anywhere 255.255.255.255
ACCEPT all -- anywhere ppp-58.9.142.52.revip.asianet.co.th
LOG all -- anywhere anywhere LOG level warning
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- localnet/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere localnet/24 LOG level warning
DROP all -- anywhere localnet/24
LOG all -- anywhere anywhere LOG level warning
DROP all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere 255.255.255.255
ACCEPT all -- anywhere localnet/24
ACCEPT !tcp -- anywhere BASE-ADDRESS.MCAST.NET/4
LOG all -- anywhere localnet/24 LOG level warning
DROP all -- anywhere localnet/24
ACCEPT all -- anywhere 255.255.255.255
ACCEPT all -- ppp-58.9.142.52.revip.asianet.co.th anywhere
LOG all -- anywhere anywhere LOG level warning
DROP all -- anywhere anywhere

It sounds like you need to configure your Windows box (behind the Debian gateway) to use your ISP's DNS servers. I don't know how to do this with Windows XP, but with Windows 98, you had to go into Network Properties (from Control Panel), then configure your TCP/IP properties. There was a dialog called "DNS Servers" or something, then you had to manually enter the ip addresses for your ISP's DNS servers.

Your network works with a Windows XP gateway probably because Windows does internet sharing through dhcp by default, whereas with Debian you have to explicitly enable that service (it's a security feature). Check out my .sig for more documentation, especially the Linux Gateway how-to.

Thanks for the reply. I already put the DNS settings on Windows boxen behind the gateway already, and DNS resolution works. So, I think this is not the cause.

To be more specific, I ran wget on a box behind gateway using cygwin and got this output

Quote:

$ wget http://mail.yahoo.com/
--08:54:11-- http://mail.yahoo.com/
=> `index.html'
Resolving mail.yahoo.com... 66.218.75.184
Connecting to mail.yahoo.com[66.218.75.184]:80... connected.
HTTP request sent, awaiting response...

wget just waited for response and none was coming. However when I changed that to http://mail.yahoo.com/index.html, it worked fine.

Quote:

$ wget http://mail.yahoo.com/index.html
--09:05:32-- http://mail.yahoo.com/index.html
=> `index.html'
Resolving mail.yahoo.com... 66.218.75.184
Connecting to mail.yahoo.com[66.218.75.184]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 94 [text/html]

100%[====================================>] 94 --.--K/s

09:05:32 (917.97 KB/s) - `index.html' saved [94/94]

The same goes with http://www.microsoft.com/ (can't get response), but http://www.microsoft.com/windows/ loads fine.

I am really baffled here. I even put Knoppix live CD to boot those box behind gateway, tried browsing and got the same result too, so I guess it must be my gateway settings, not Windows/IE glitch.

It's probably the mtu value you need to change of the network card on the client and the one connected to the client on the server. Usually you can ping the website, but the browser doesn't display it. Changing the mtu to 1452 should fix this.

Thanks! The problem is indeed caused by MTU over PPPoE link. I found a good description of this problem (and solution) after reading your post. Here
http://www.linux.com/howtos/IP-Masquerade-HOWTO/mtu-issues.shtml

Thanks again.