Results 1 to 5 of 5
Hi all!
Weird problem here.. I know it'll be something rally stupid, but I can't figure it out.
We have 2 client (XP) pc's, and a linux machine as router/firewall ...
- 07-30-2005 #1Just Joined!
- Join Date
- Jul 2005
- Posts
- 3
linux router - can surf to some sites only, and telnet to all?!
Hi all!
Weird problem here.. I know it'll be something rally stupid, but I can't figure it out.
We have 2 client (XP) pc's, and a linux machine as router/firewall for a cablemodel internet connection. Works perfectly. I'm now trying to switch to ADSL instead of cable. Currently setting up a second linux machine to test, because I have no experience with DSL on linux. Currently, this machine connects to the dsl without problems, and is on the same lan as the original router. So I thought it would be easy to point the default gateway of one of the clients to the new linux router, and see if it works. Oh, from the new router I can ping the client pc's too, and the route table seems to be ok.
On the new router, everything works: I can ping, surf (with 'links') to anything I want.
On the client, using this new router, I can ping everywhere I want, DNS works, and I can surf to google.com. But that's it, I cannot surf to anything else... I'm no expert with tcpdump, but when I run it on the router, I think I see acks coming in from the sites I try to surf to, but my browser keeps waiting for response...
If I try to surf to www.microsoft.com for example, it does not work. Then I tried "telnet www.microsoft.com 80" on the command line, typed "GET", and then I got a response, so via telnet it works! I also tried it on the other client pc, and it does exactly the same, so it's not a client-problem... also, some other sites do work with the browser (examples: www.belnet.be, www.mv.be). Oh, and FTP seems to work fine too...
Here are 2 tcpdump-logs..
The first one is from a attempt to connect to www.realdsl.be (192.168.0.20 is the client):
The second one is from a succesful connection to google.com:Code:16:23:03.348292 IP 192.168.0.20.1921 > 217.22.50.130.80: S 410999437:410999437(0) win 65535 <mss 1460,nop,nop,sackOK> 16:23:03.359662 IP 217.22.50.130.80 > 192.168.0.20.1921: S 59458721:59458721(0) ack 410999438 win 5840 <mss 1460,nop,nop,sackOK> 16:23:03.360010 IP 192.168.0.20.1921 > 217.22.50.130.80: . ack 1 win 65535 16:23:03.360596 IP 192.168.0.20.1921 > 217.22.50.130.80: P 1:287(286) ack 1 win 65535 16:23:03.377479 IP 217.22.50.130.80 > 192.168.0.20.1921: . ack 287 win 6432
Code:16:22:50.572827 IP 192.168.0.20.1919 > 64.233.161.99.80: P 3087685448:3087685736(288) ack 2415964445 win 65281 16:22:50.678552 IP 64.233.161.99.80 > 192.168.0.20.1919: . ack 288 win 7902 16:22:50.678992 IP 64.233.161.99.80 > 192.168.0.20.1919: . ack 288 win 6432 16:22:50.691173 IP 64.233.161.99.80 > 192.168.0.20.1919: . 1:1431(1430) ack 288 win 6432 16:22:50.691859 IP 64.233.161.99.80 > 192.168.0.20.1919: P 1431:1781(350) ack 288 win 6432 16:22:50.693501 IP 192.168.0.20.1919 > 64.233.161.99.80: . ack 1781 win 65535 16:22:50.704061 IP 192.168.0.20.1920 > 64.233.161.99.80: P 1120246903:1120247287(384) ack 4251847620 win 65281 16:22:50.704440 IP 192.168.0.20.1919 > 64.233.161.99.80: P 288:672(384) ack 1781 win 65535 16:22:50.810806 IP 64.233.161.99.80 > 192.168.0.20.1920: . ack 384 win 7806 16:22:50.811543 IP 64.233.161.99.80 > 192.168.0.20.1920: . ack 384 win 6432 16:22:50.820284 IP 64.233.161.99.80 > 192.168.0.20.1920: P 1:128(127) ack 384 win 6432 16:22:50.821961 IP 192.168.0.20.1920 > 64.233.161.99.80: P 384:768(384) ack 128 win 65154 16:22:50.822776 IP 64.233.161.99.80 > 192.168.0.20.1919: P 1781:1908(127) ack 672 win 7504 16:22:50.825704 IP 192.168.0.20.1919 > 64.233.161.99.80: P 672:1056(384) ack 1908 win 65408 16:22:50.936096 IP 64.233.161.99.80 > 192.168.0.20.1920: P 128:255(127) ack 768 win 7504 16:22:50.942763 IP 64.233.161.99.80 > 192.168.0.20.1919: P 1908:2035(127) ack 1056 win 8576 16:22:51.106389 IP 192.168.0.20.1919 > 64.233.161.99.80: . ack 2035 win 65281 16:22:51.106452 IP 192.168.0.20.1920 > 64.233.161.99.80: . ack 255 win 65027
Anyone feels like helping out?
Greetings,
Tom.
- 07-30-2005 #2Linux Guru
- Join Date
- Mar 2004
- Location
- Lat: 39:03:51N Lon: 77:14:37W
- Posts
- 2,396
hmmm... I am no expert by far, but are you running a firewall on the local interface of your router? Perhaps your browser is trying to open multiple connection to the host site, and as a result received another port on the routers internal interface. Problem then becomes, that port is firewalled.
In all honesty, I have never heard of anythink like this (well, never with the nice technical output) and at the moment, this is all I got... sorry.
- 07-31-2005 #3Just Joined!
- Join Date
- Jul 2005
- Posts
- 28
check your router settings by 'ip r' command. Be sure that internal requests are routed currectly to your internet router. I thing this may help if you are sure about your nat settings.
- 07-31-2005 #4Just Joined!
- Join Date
- Jul 2005
- Posts
- 3
The firewall that runs on the router is iptables, a very basic ruleset from the masqerading howto, to test if it all works. See below for more details. And the route table should be ok too; from the router I can ping the internet and the lan without problems. From a client-pc I can ping everywhere, even a traceroute looks fine!
Here is some more info:
Code:gateway:/usr/local/bin# iptables -L -n -v -x Chain INPUT (policy ACCEPT 54 packets, 5649 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 14 7414 ACCEPT all -- ppp0 eth2 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 14 1485 ACCEPT all -- eth2 ppp0 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 Chain OUTPUT (policy ACCEPT 45 packets, 5420 bytes) pkts bytes target prot opt in out source destinationCode:gateway:/usr/local/bin# iptables -t nat -L -n -v -x Chain PREROUTING (policy ACCEPT 107 packets, 28034 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 7 packets, 516 bytes) pkts bytes target prot opt in out source destination 10 555 MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 16 packets, 1168 bytes) pkts bytes target prot opt in out source destination
ifconfig: eth0 = for dmz (not used right now), eth1 = adsl modem, eth2 = lan. I thought it might have been a problem with one of the interfaces, so I used other combinations before, all with the same problem...
Code:gateway:/usr/local/bin# ifconfig eth0 Link encap:Ethernet HWaddr 00:10:5A:A7:8A:2C inet addr:192.168.1.250 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:6 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:252 (252.0 b) Interrupt:7 Base address:0x300 eth1 Link encap:Ethernet HWaddr 00:80:C8:DF:FB:E9 inet addr:10.0.0.1 Bcast:10.255.255.255 Mask:255.0.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:27458 errors:0 dropped:0 overruns:0 frame:0 TX packets:14464 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:39400454 (37.5 MiB) TX bytes:935402 (913.4 KiB) Interrupt:10 Base address:0x6800 eth2 Link encap:Ethernet HWaddr 00:50:FC:CC:78:0A inet addr:192.168.0.250 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2202 errors:0 dropped:0 overruns:0 frame:0 TX packets:3358 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:210504 (205.5 KiB) TX bytes:691725 (675.5 KiB) Interrupt:12 Base address:0x6c00 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:560 (560.0 b) TX bytes:560 (560.0 b) ppp0 Link encap:Point-to-Point Protocol inet addr:83.217.93.41 P-t-P:193.27.64.78 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 RX packets:26214 errors:0 dropped:0 overruns:0 frame:0 TX packets:13221 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:38749100 (36.9 MiB) TX bytes:569900 (556.5 KiB)
Code:gateway:/usr/local/bin# cat /etc/network/interfaces auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet static address 192.168.1.250 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 auto eth1 iface eth1 inet static address 10.0.0.1 netmask 255.0.0.0 network 10.0.0.0 broadcast 10.255.255.255 auto eth2 iface eth2 inet static address 192.168.0.250 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 auto dsl-provider iface dsl-provider inet ppp provider dsl-provider
Code:gateway:/usr/local/bin# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 193.27.64.78 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1 0.0.0.0 193.27.64.78 0.0.0.0 UG 0 0 0 ppp0
- 07-31-2005 #5Just Joined!
- Join Date
- Jul 2005
- Posts
- 3
Just for the record.. problem solved!
I found an interesting site: http://blue-labs.org/howto/mtu-mss.php
Here's what happened:
pppoeconf adds an iptables line like this:
My firewall script (which I ran every time because it takes care of the masquerading), clears all iptables rules and starts with its own, and so it erases the the clamp-line too... When I add the above line to the front of the script, everything works beautifully!Code:iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts