iptables ECN target is a black hole
This is on CentOS4, 2.6.9-55.0.2.ELsmp
Adding the following lines to /etc/sysconfig/iptables, then doing service iptables reload, causes all outgoing tcp connections to just hang there.
:INPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -p tcp -j ECN --ecn-tcp-remove
This is a router/nat box for our local network. Local machines are a mix of Windows (no ECN) and Linux (ECN enabled).
It's otherwise a pretty standard setup. I could never get ECN removal to work for the few broken sites that require it (Southwest Airlines in my case). As soon as you try it, even per-site, then no connections ever succeed.