Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 07-29-2007, 08:45 AM   #1
Registered: Nov 2004
Location: Jersey, British Isles
Distribution: Gentoo
Posts: 44

Rep: Reputation: 15
Clients not working properly with NAT

Hi all

I use this script for NAT:

# Enable kernel IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Clear previous iptables
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

# Set up iptables forwarding
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT
I previously used this with a USB ADSL modem, but it was a very dodgy and dropped a lot, so I switched to a PPPoE ethernet modem (a Draytek Vigor 100).

To connect here I use this /etc/conf.d/net, and then connect with /etc/init.d/net.ppp0 start:

modules=( "ifconfig" )

config_eth0=( " netmask" )


pppd_ppp0=("defaultroute" "usepeerdns")
eth0 is the LAN interface, eth1 is the interface connected to the modem.

This connects fine, and works absolutely fine on the machine that is connected to the modem.

However the machines connecting through it (the machines on the network) only have limited network access:

They can only browse a small number of sites, most sites will just time out. Ones that work include,, and They can ping anything fine, even the sites that don't work. Connecting to various IRC servers for instance will start to connect, but simply stop half way through the MOTD.

Does anybody have any idea? I've run out of ideas here.

Thanks very much.
Old 07-29-2007, 02:53 PM   #2
Registered: Nov 2004
Location: Jersey, British Isles
Distribution: Gentoo
Posts: 44

Original Poster
Rep: Reputation: 15
I've found the fix here:

Originally Posted by Hu
This sounds like a case of MTU problems. From the iptables manpage:
       This target allows to alter the MSS value of TCP SYN packets,  to  con-
       trol  the maximum size for that connection (usually limiting it to your
       outgoing interface's MTU minus 40).  Of course, it can only be used  in
       conjunction with -p tcp.  It is only valid in the mangle table.
       This  target  is  used to overcome criminally braindead ISPs or servers
       which block ICMP Fragmentation Needed packets.  The  symptoms  of  this
       problem are that everything works fine from your Linux firewall/router,
       but machines behind it can never exchange large packets:
        1) Web browsers connect, then hang with no data received.
        2) Small mail works fine, but large emails hang.
        3) ssh works fine, but scp hangs after initial handshaking.
       Workaround: activate this option and add a rule to your  firewall  con-
       figuration like:
        iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
                    -j TCPMSS --clamp-mss-to-pmtu

       --set-mss value
              Explicitly set MSS option to specified value.

              Automatically clamp MSS value to (path_MTU - 40).

       These options are mutually exclusive.
Add such a rule to your Gentoo machine and see if that helps.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
pptp multiple clients behind iptables nat saf Linux - Networking 4 08-06-2012 03:43 PM
multiple ipsec vpn clients behind nat egarnel Linux - Networking 1 12-30-2005 06:18 PM
X not working properly. MylesCLin Linux - Software 1 09-15-2004 11:46 AM
nat not working! the_y_man Linux - Networking 4 03-13-2004 01:41 AM
blocking some port for NAT clients freelinuxcpp Linux - Networking 2 02-14-2004 06:06 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:57 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration