I'm not a newbie to linux or networking with linux, but iptables has me beat. I'm setting up a router/firewall for a friend of mine who has Bellsouth DSL, PPPOE works fine, everything works fine, except the firewall.

he can browse the web just fine, for most sites. Some sites, just.. wont connect. The one we've really noticed is jobsearch on monster.com. He can get to monster's front page, but when he clicks on search for jobs.. it just..does nothing. There are a few other sites, but this is the one we're using for testing purposes.

Anyway. Walking the interfaces we find

eth0 10.0.0.1 255.0.0.0
This is connected to the cable modem (10.0.0.138)
ppp0 Dynamic IP
This is the actualy net connection via PPPOE.
eth1 192.168.0.1 255.255.255.0
Connection to his lan

For the point of just tryint to get this to work i've defaulted to a 4 line firewall.

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

/proc/sys/net/ipv4/ip_forward and ip_dynaddr are both 1

I've also check to make sure that ECN (Explicit Congestion Notification) isnt turned on.

I basicly cant think of anything that can be causing this.. does anyone have any idea.

Double Post: http://www.linuxquestions.org/questi...threadid=15010

Please refrain from double posting.

Thanks for pointing that out. You could've at least posted a link on the thread that you closed instead of the one you left open. That way anyone who would've saw that and knew a possible way to help could've, instead of being block out of posting a reply..

I'm sorry, but i didn't close your other thread as I am the moderator of the Linux-General and LFS forums and do not have the power to close that thread in the Networking forum.

I apologize for wrongfully blaming you.. I just thought it was odd that they closed one and put a link to that one in the thread they left open.. ohwell..

Anyway.. this is still a major problem i'm having.. and i'm currently recompiling the kernel on that machine and am about to head over there to see some of this "timing out" as he describes it for myself..

It was a MTU problem caused by PPPOE, since the ppp0 interface was being used basicly as ethernet the MTU's were differnt and packets were getting foobar'd.. it worked some of the times because of smaller packets..

here is the one line fix to add to your iptables firewall..

$IPTABLES -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Thanks

Yes this is caused due to one of the following.

No Fragmentation allowed

or

No ICMP Frag messages allowed out.
i.e "iptables -A INPUT -i eth0 -p icmp --icmp-type fragmentation-needed -j DROP"

PPPOE has an MTU of 1492, Ethernet is 1500

/Raz