KennyNotDead 05-03-2005 08:46 PM

strange nat problem
Hi, I had a nat box running debian woody (2.4.19 kernel).
Everything was working great, but i upgraded to sarge and installed a kernel, and this issue came up:
in the nat clients, some web pages work and others don't, while in the nat box everything works fine.
For example google works great, but hotmail doesn't (and it does work in the nat box). An ethereal run shows that it does some talking (it sends and receives packets containing html headers) and then starts waiting for something that never comes. hotmail is just an example, there are some other web pages not requiring authentication that doesn't work either.
I'm using the same configuration i used in woody, only the programs versions changed. I have a lot of iptables rules plus some traffic shaping commands (with tc), but the problem persist even using this minimal set of rules and no Traffic Control:

:PREROUTING ACCEPT [22307:4559231]
:INPUT ACCEPT [16590:2976594]
:FORWARD ACCEPT [5364:1548354]
:OUTPUT ACCEPT [16414:1661497]
:POSTROUTING ACCEPT [21770:3197851]
:INPUT ACCEPT [14850:2866366]
:OUTPUT ACCEPT [14907:1537177]
:PREROUTING ACCEPT [10490:589933]
:OUTPUT ACCEPT [402:24212]

I find it very strange that some things work and some things doesn't, and i have no clue what the problem could be, i don't even know if it is an iptables-related issue, so any help pointing me to the right direction will be appreciated.

angrybeaver 05-03-2005 09:19 PM

it might not have anything to do with your firewall. maybe it's an MTU or IP flag option that causing problems. Did you compile this kernel yourself? If so, rember setting up any IP options (like ECN for instance) which might cause this sort of problem?

KennyNotDead 05-03-2005 11:20 PM

I did compile the kernel, but i used the same options i was using on the old kernel, orat least that's what i think, it was a big kernel change and maybe i missed some new options.
Anyway, the only packets affected are those that get masqueraded, if it were that kind of problem wouldn't the nat box have trouble also?.

frostschutz 05-11-2005 01:21 PM

in the nat clients, some web pages work and others don't, while in the nat box everything works fine.
Sounds like bad MTU setting.

