Find the answer to your Linux question:
Results 1 to 5 of 5
Hi all! Weird problem here.. I know it'll be something rally stupid, but I can't figure it out. We have 2 client (XP) pc's, and a linux machine as router/firewall ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2005
    Posts
    3

    linux router - can surf to some sites only, and telnet to all?!


    Hi all!

    Weird problem here.. I know it'll be something rally stupid, but I can't figure it out.

    We have 2 client (XP) pc's, and a linux machine as router/firewall for a cablemodel internet connection. Works perfectly. I'm now trying to switch to ADSL instead of cable. Currently setting up a second linux machine to test, because I have no experience with DSL on linux. Currently, this machine connects to the dsl without problems, and is on the same lan as the original router. So I thought it would be easy to point the default gateway of one of the clients to the new linux router, and see if it works. Oh, from the new router I can ping the client pc's too, and the route table seems to be ok.

    On the new router, everything works: I can ping, surf (with 'links') to anything I want.
    On the client, using this new router, I can ping everywhere I want, DNS works, and I can surf to google.com. But that's it, I cannot surf to anything else... I'm no expert with tcpdump, but when I run it on the router, I think I see acks coming in from the sites I try to surf to, but my browser keeps waiting for response...

    If I try to surf to www.microsoft.com for example, it does not work. Then I tried "telnet www.microsoft.com 80" on the command line, typed "GET", and then I got a response, so via telnet it works! I also tried it on the other client pc, and it does exactly the same, so it's not a client-problem... also, some other sites do work with the browser (examples: www.belnet.be, www.mv.be). Oh, and FTP seems to work fine too...

    Here are 2 tcpdump-logs..
    The first one is from a attempt to connect to www.realdsl.be (192.168.0.20 is the client):
    Code:
    16&#58;23&#58;03.348292 IP 192.168.0.20.1921 > 217.22.50.130.80&#58; S 410999437&#58;410999437&#40;0&#41; win 65535 <mss 1460,nop,nop,sackOK>
    16&#58;23&#58;03.359662 IP 217.22.50.130.80 > 192.168.0.20.1921&#58; S 59458721&#58;59458721&#40;0&#41; ack 410999438 win 5840 <mss 1460,nop,nop,sackOK>
    16&#58;23&#58;03.360010 IP 192.168.0.20.1921 > 217.22.50.130.80&#58; . ack 1 win 65535
    16&#58;23&#58;03.360596 IP 192.168.0.20.1921 > 217.22.50.130.80&#58; P 1&#58;287&#40;286&#41; ack 1 win 65535
    16&#58;23&#58;03.377479 IP 217.22.50.130.80 > 192.168.0.20.1921&#58; . ack 287 win 6432
    The second one is from a succesful connection to google.com:
    Code:
    16&#58;22&#58;50.572827 IP 192.168.0.20.1919 > 64.233.161.99.80&#58; P 3087685448&#58;3087685736&#40;288&#41; ack 2415964445 win 65281
    16&#58;22&#58;50.678552 IP 64.233.161.99.80 > 192.168.0.20.1919&#58; . ack 288 win 7902
    16&#58;22&#58;50.678992 IP 64.233.161.99.80 > 192.168.0.20.1919&#58; . ack 288 win 6432
    16&#58;22&#58;50.691173 IP 64.233.161.99.80 > 192.168.0.20.1919&#58; . 1&#58;1431&#40;1430&#41; ack 288 win 6432
    16&#58;22&#58;50.691859 IP 64.233.161.99.80 > 192.168.0.20.1919&#58; P 1431&#58;1781&#40;350&#41; ack 288 win 6432
    16&#58;22&#58;50.693501 IP 192.168.0.20.1919 > 64.233.161.99.80&#58; . ack 1781 win 65535
    16&#58;22&#58;50.704061 IP 192.168.0.20.1920 > 64.233.161.99.80&#58; P 1120246903&#58;1120247287&#40;384&#41; ack 4251847620 win 65281
    16&#58;22&#58;50.704440 IP 192.168.0.20.1919 > 64.233.161.99.80&#58; P 288&#58;672&#40;384&#41; ack 1781 win 65535
    16&#58;22&#58;50.810806 IP 64.233.161.99.80 > 192.168.0.20.1920&#58; . ack 384 win 7806
    16&#58;22&#58;50.811543 IP 64.233.161.99.80 > 192.168.0.20.1920&#58; . ack 384 win 6432
    16&#58;22&#58;50.820284 IP 64.233.161.99.80 > 192.168.0.20.1920&#58; P 1&#58;128&#40;127&#41; ack 384 win 6432
    16&#58;22&#58;50.821961 IP 192.168.0.20.1920 > 64.233.161.99.80&#58; P 384&#58;768&#40;384&#41; ack 128 win 65154
    16&#58;22&#58;50.822776 IP 64.233.161.99.80 > 192.168.0.20.1919&#58; P 1781&#58;1908&#40;127&#41; ack 672 win 7504
    16&#58;22&#58;50.825704 IP 192.168.0.20.1919 > 64.233.161.99.80&#58; P 672&#58;1056&#40;384&#41; ack 1908 win 65408
    16&#58;22&#58;50.936096 IP 64.233.161.99.80 > 192.168.0.20.1920&#58; P 128&#58;255&#40;127&#41; ack 768 win 7504
    16&#58;22&#58;50.942763 IP 64.233.161.99.80 > 192.168.0.20.1919&#58; P 1908&#58;2035&#40;127&#41; ack 1056 win 8576
    16&#58;22&#58;51.106389 IP 192.168.0.20.1919 > 64.233.161.99.80&#58; . ack 2035 win 65281
    16&#58;22&#58;51.106452 IP 192.168.0.20.1920 > 64.233.161.99.80&#58; . ack 255 win 65027

    Anyone feels like helping out?


    Greetings,

    Tom.

  2. #2
    Linux Guru kkubasik's Avatar
    Join Date
    Mar 2004
    Location
    Lat: 39:03:51N Lon: 77:14:37W
    Posts
    2,396
    hmmm... I am no expert by far, but are you running a firewall on the local interface of your router? Perhaps your browser is trying to open multiple connection to the host site, and as a result received another port on the routers internal interface. Problem then becomes, that port is firewalled.

    In all honesty, I have never heard of anythink like this (well, never with the nice technical output) and at the moment, this is all I got... sorry.
    Avoid the Gates of Hell. Use Linux
    A Penny for your Thoughts

    Formerly Known as qub333

  3. #3
    Just Joined!
    Join Date
    Jul 2005
    Posts
    28
    check your router settings by 'ip r' command. Be sure that internal requests are routed currectly to your internet router. I thing this may help if you are sure about your nat settings.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Jul 2005
    Posts
    3
    The firewall that runs on the router is iptables, a very basic ruleset from the masqerading howto, to test if it all works. See below for more details. And the route table should be ok too; from the router I can ping the internet and the lan without problems. From a client-pc I can ping everywhere, even a traceroute looks fine!

    Here is some more info:

    Code:
    gateway&#58;/usr/local/bin# iptables -L -n -v -x
    Chain INPUT &#40;policy ACCEPT 54 packets, 5649 bytes&#41;
       pkts      bytes target     prot opt in     out     source               destination
    
    Chain FORWARD &#40;policy DROP 0 packets, 0 bytes&#41;
       pkts      bytes target     prot opt in     out     source               destination
         14     7414 ACCEPT     all  --  ppp0   eth2    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
         14     1485 ACCEPT     all  --  eth2   ppp0    0.0.0.0/0            0.0.0.0/0
          0        0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4
    
    Chain OUTPUT &#40;policy ACCEPT 45 packets, 5420 bytes&#41;
       pkts      bytes target     prot opt in     out     source               destination
    Code:
    gateway&#58;/usr/local/bin# iptables -t nat -L -n -v -x
    Chain PREROUTING &#40;policy ACCEPT 107 packets, 28034 bytes&#41;
       pkts      bytes target     prot opt in     out     source               destination
    
    Chain POSTROUTING &#40;policy ACCEPT 7 packets, 516 bytes&#41;
       pkts      bytes target     prot opt in     out     source               destination
         10      555 MASQUERADE  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
    
    Chain OUTPUT &#40;policy ACCEPT 16 packets, 1168 bytes&#41;
       pkts      bytes target     prot opt in     out     source               destination


    ifconfig: eth0 = for dmz (not used right now), eth1 = adsl modem, eth2 = lan. I thought it might have been a problem with one of the interfaces, so I used other combinations before, all with the same problem...

    Code:
    gateway&#58;/usr/local/bin# ifconfig
    eth0      Link encap&#58;Ethernet  HWaddr 00&#58;10&#58;5A&#58;A7&#58;8A&#58;2C
             inet addr&#58;192.168.1.250  Bcast&#58;192.168.1.255  Mask&#58;255.255.255.0
             UP BROADCAST RUNNING MULTICAST  MTU&#58;1500  Metric&#58;1
             RX packets&#58;0 errors&#58;0 dropped&#58;0 overruns&#58;0 frame&#58;0
             TX packets&#58;6 errors&#58;0 dropped&#58;0 overruns&#58;0 carrier&#58;6
             collisions&#58;0 txqueuelen&#58;1000
             RX bytes&#58;0 &#40;0.0 b&#41;  TX bytes&#58;252 &#40;252.0 b&#41;
             Interrupt&#58;7 Base address&#58;0x300
    
    eth1      Link encap&#58;Ethernet  HWaddr 00&#58;80&#58;C8&#58;DF&#58;FB&#58;E9
             inet addr&#58;10.0.0.1  Bcast&#58;10.255.255.255  Mask&#58;255.0.0.0
             UP BROADCAST RUNNING MULTICAST  MTU&#58;1500  Metric&#58;1
             RX packets&#58;27458 errors&#58;0 dropped&#58;0 overruns&#58;0 frame&#58;0
             TX packets&#58;14464 errors&#58;0 dropped&#58;0 overruns&#58;0 carrier&#58;0
             collisions&#58;0 txqueuelen&#58;1000
             RX bytes&#58;39400454 &#40;37.5 MiB&#41;  TX bytes&#58;935402 &#40;913.4 KiB&#41;
             Interrupt&#58;10 Base address&#58;0x6800
    
    eth2      Link encap&#58;Ethernet  HWaddr 00&#58;50&#58;FC&#58;CC&#58;78&#58;0A
             inet addr&#58;192.168.0.250  Bcast&#58;192.168.0.255  Mask&#58;255.255.255.0
             UP BROADCAST RUNNING MULTICAST  MTU&#58;1500  Metric&#58;1
             RX packets&#58;2202 errors&#58;0 dropped&#58;0 overruns&#58;0 frame&#58;0
             TX packets&#58;3358 errors&#58;0 dropped&#58;0 overruns&#58;0 carrier&#58;0
             collisions&#58;0 txqueuelen&#58;1000
             RX bytes&#58;210504 &#40;205.5 KiB&#41;  TX bytes&#58;691725 &#40;675.5 KiB&#41;
             Interrupt&#58;12 Base address&#58;0x6c00
    
    lo        Link encap&#58;Local Loopback
             inet addr&#58;127.0.0.1  Mask&#58;255.0.0.0
             UP LOOPBACK RUNNING  MTU&#58;16436  Metric&#58;1
             RX packets&#58;8 errors&#58;0 dropped&#58;0 overruns&#58;0 frame&#58;0
             TX packets&#58;8 errors&#58;0 dropped&#58;0 overruns&#58;0 carrier&#58;0
             collisions&#58;0 txqueuelen&#58;0
             RX bytes&#58;560 &#40;560.0 b&#41;  TX bytes&#58;560 &#40;560.0 b&#41;
    
    ppp0      Link encap&#58;Point-to-Point Protocol
             inet addr&#58;83.217.93.41  P-t-P&#58;193.27.64.78  Mask&#58;255.255.255.255
             UP POINTOPOINT RUNNING NOARP MULTICAST  MTU&#58;1492  Metric&#58;1
             RX packets&#58;26214 errors&#58;0 dropped&#58;0 overruns&#58;0 frame&#58;0
             TX packets&#58;13221 errors&#58;0 dropped&#58;0 overruns&#58;0 carrier&#58;0
             collisions&#58;0 txqueuelen&#58;3
             RX bytes&#58;38749100 &#40;36.9 MiB&#41;  TX bytes&#58;569900 &#40;556.5 KiB&#41;

    Code:
    gateway&#58;/usr/local/bin# cat /etc/network/interfaces
    auto lo
    iface lo inet loopback
    
    # The primary network interface
    auto eth0
    iface eth0 inet static
           address 192.168.1.250
           netmask 255.255.255.0
           network 192.168.1.0
           broadcast 192.168.1.255
    
    
    auto eth1
    iface eth1 inet static
           address 10.0.0.1
           netmask 255.0.0.0
           network 10.0.0.0
           broadcast 10.255.255.255
    
    
    auto eth2
    iface eth2 inet static
           address 192.168.0.250
           netmask 255.255.255.0
           network 192.168.0.0
           broadcast 192.168.0.255
    
    
    auto dsl-provider
    iface dsl-provider inet ppp
        provider dsl-provider

    Code:
    gateway&#58;/usr/local/bin# route -n
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    193.27.64.78    0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
    192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
    192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
    10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 eth1
    0.0.0.0         193.27.64.78    0.0.0.0         UG    0      0        0 ppp0

  6. #5
    Just Joined!
    Join Date
    Jul 2005
    Posts
    3
    Just for the record.. problem solved!

    I found an interesting site: http://blue-labs.org/howto/mtu-mss.php

    Here's what happened:

    pppoeconf adds an iptables line like this:
    Code:
    iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400&#58;1536 -j TCPMSS --clamp-mss-to-pmtu
    My firewall script (which I ran every time because it takes care of the masquerading), clears all iptables rules and starts with its own, and so it erases the the clamp-line too... When I add the above line to the front of the script, everything works beautifully!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •