I had a WinXP box connected to the internet and use Internet Connection Sharing to make it act as gateway to my home LAN. All was fine, but exposing Windows to the outer world didn't feel so right. Now I tried to set up a debian (sid) box as the gateway instead.

So, I apt-get install ipmasq, and instantly have my debian box usable as gateway! However, I discovered that the boxen behind the debian gateway can't access some website, while other website can be viewed just fine.

example: mail,yahoo,com login,yahoo,com www,msn,com www,microsoft,com gave timeout error. The rest of the world, like slashdot or google or other random sites, seem fine (including www,hotmail,com www,yahoo,com).

Also, windowsupdate gave error 80072EE2 after the screen "Windows Update is looking for available update" and sign in to msn messenger failed on those boxen.

On debian box, all the above is working fine (minus windowsupdate), though. Switching back to Windows gateway and everything works just fine again.

Could anyone give me an idea how to investigate this problem? I would appreciate this very much!
---
(I think) related packages' versions
kernel-image-2.6.8 (custom built)
ipmasq 4.0.1
iptables 1.2.11-8

The following is output from iptables -t nat -L
output from iptables -t filter -L

It sounds like you need to configure your Windows box (behind the Debian gateway) to use your ISP's DNS servers. I don't know how to do this with Windows XP, but with Windows 98, you had to go into Network Properties (from Control Panel), then configure your TCP/IP properties. There was a dialog called "DNS Servers" or something, then you had to manually enter the ip addresses for your ISP's DNS servers.

Your network works with a Windows XP gateway probably because Windows does internet sharing through dhcp by default, whereas with Debian you have to explicitly enable that service (it's a security feature). Check out my .sig for more documentation, especially the Linux Gateway how-to.

Thanks for the reply. I already put the DNS settings on Windows boxen behind the gateway already, and DNS resolution works. So, I think this is not the cause.

To be more specific, I ran wget on a box behind gateway using cygwin and got this output
wget just waited for response and none was coming. However when I changed that to http://mail.yahoo.com/index.html, it worked fine.
The same goes with http://www.microsoft.com/ (can't get response), but http://www.microsoft.com/windows/ loads fine.

I am really baffled here. I even put Knoppix live CD to boot those box behind gateway, tried browsing and got the same result too, so I guess it must be my gateway settings, not Windows/IE glitch.

It's probably the mtu value you need to change of the network card on the client and the one connected to the client on the server. Usually you can ping the website, but the browser doesn't display it. Changing the mtu to 1452 should fix this.

Thanks! The problem is indeed caused by MTU over PPPoE link. I found a good description of this problem (and solution) after reading your post. Here
http://www.linux.com/howtos/IP-Masquerade-HOWTO/mtu-issues.shtml

Thanks again.