LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 04-18-2005, 03:05 AM   #1
danielw
Member
 
Registered: Jul 2003
Location: Australia
Distribution: CRUX
Posts: 35

Rep: Reputation: 15
can NAT makes certain websites timeout?


Hi there,

I'm having a real pain in the arse problem where certain websites timeout behind my firewall/NAT setup, but the actual firewall itself works fine. It seems to happen when I access log-in sites such as hotmail or yahoo mail. Whenever the client logs in it just sits there and times-out. What, if anything, would cause this? I've tried many different iptables scripts that are proven and work without problems on other setups.

I also compiled my own kernel (2.6.10) perhaps there is a module I left out?


Any help would be greatly appreciated!
 
Old 04-18-2005, 05:13 AM   #2
masand
LQ Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 69
do u mean to say that u have a shared internet connection and the other machines behind the firewall canot access these 2 websites but other sites??
 
Old 04-18-2005, 08:16 PM   #3
danielw
Member
 
Registered: Jul 2003
Location: Australia
Distribution: CRUX
Posts: 35

Original Poster
Rep: Reputation: 15
pretty much
 
Old 04-18-2005, 10:14 PM   #4
masand
LQ Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 69
hi there

are u allowing all connection from that firewall ,the HTTPS ones too???

regards
 
Old 04-25-2005, 06:45 AM   #5
deoren
Member
 
Registered: Oct 2003
Location: USA
Distribution: Ubuntu
Posts: 216

Rep: Reputation: 30
I know you can adjust the udp timeout values like so:

Code:
UDP_PACKET_TIMEOUT_VALUE=38
echo ${UDP_PACKET_TIMEOUT_VALUE} > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout
and I'm guessing that you can adjust the tcp timeout as well:

I am not too familiar with tweaking the settings for tcp/ip however.

This dir: /proc/sys/net/ipv4/netfilter
contains the file(s) that you would tweak however. Perhaps do a search on each of those files individually to see what you can dig up.

If you have a xDSL connection, you may also want to look at this:

Quote:
TCPMSS
This target allows to alter the MSS value of TCP SYN packets, to control the maximum size for that connection (usually limiting it to your outgoing interface's MTU minus 40). Of course, it can only be used in conjunction with -p tcp.
This target is used to overcome criminally braindead ISPs or servers which block ICMP Fragmentation Needed packets. The symptoms of this problem are that everything works fine from your Linux firewall/router, but machines behind it can never exchange large packets:

1)
Web browsers connect, then hang with no data received.
2)
Small mail works fine, but large emails hang.
3)
ssh works fine, but scp hangs after initial handshaking.

Workaround: activate this option and add a rule to your firewall configuration like:

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --clamp-mss-to-pmtu

--set-mss value
Explicitly set MSS option to specified value.
--clamp-mss-to-pmtu
Automatically clamp MSS value to (path_MTU - 40).
These options are mutually exclusive.
from: http://www.die.net/doc/linux/man/man8/iptables.8.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Susefirewall2 Nat Problem / nat 1:1 trubi Linux - Distributions 0 07-20-2004 05:50 AM
Websites that sell websites..? mScDeX General 2 12-29-2003 03:01 PM
A program that makes firewalls/Nat scripts that arnīt so complicated jimdaworm Linux - Networking 4 12-12-2003 03:55 PM
OOT: ip6 makes NAT to be history linuxJaver Slackware 0 09-08-2003 02:27 AM
What's the difference between Linux-NAT and Sygate-NAT? yuzuohong Linux - Networking 0 08-07-2002 04:07 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration