[Firewall] forwarding doesn't work

Greg Talbot gtalbot at centerone.com
Wed Oct 4 13:07:29 MDT 2006


I tried the NO_PMTU_DISCOVERY=1 but to no avail.  So I upgraded to the RC
and its getting better.  Now I can pass packets through the firewall, but
it is slow as a 286.

A tcpdump on the forwarding port of the firewall shows that it is not
getting arp responses back from the host all the time.
Where as before the packets were not passing through the firewall at all.

Some notes are that this machine has a direct connection to the Internet
via ethernet, so no dsl at all.

Anyone want to guess on this?  NIC driver?

thx
--gt





> I think the problem is not in the firewall nor the gateway. I'm
> guessing, as we had many people here before with this type of issue,
> that it is a configuration error on the LAN host you're forwarding to.
> Maybe running iptraf on the target host could give some more info on
> whether the packets arrive at the LAN host...
>
> Lányi Róbert wrote:
>> In my conf, NO_PMTU_DISCOVERY was set to 0 by default, so I set SET_MSS
>> to 0... Then I tried to set PMTU to 1 but the problem isn't gone... :(
>>
>> When I connect to a filtered port, I get "Connection attempt" lines, but
>> connecting to forwarded ports simply show nothing...
>>
>> Rob.
>>
>> Arno van Amersfoort wrote:
>>
>>> I now recall that I've seen this problem before. It seems to be a
>>> combination of a crappy ADSL modem + Linux TCP/IP. Could you guys try
>>> to
>>> disable TCP MSS clamping (SET_MSS=0) and/or disable PMTU auto discovery
>>> (NO_PMTU_DISCOVERY=0). Also please the firewall logs for any strange
>>> things and let me know your findings.
>>>
>>> a.
>>>
>>> Greg Talbot wrote:
>>>
>>>
>>>> I am having teh same problem.  I have even tried a custom script, on 2
>>>> different versions of your script, and I cant get forwarding to work.
>>>>
>>>> I inserted,
>>>> /sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 165.236.149.5
>>>>                 --dport 88 -j DNAT --to 10.10.0.66:80
>>>> /sbin/iptables -A FORWARD -p tcp -i eth0 -d 10.10.0.66 --dport 80 -j
>>>> ACCEPT
>>>>
>>>> and when I look at the tables,
>>>>
>>>> iptables -L -t nat
>>>> Chain PREROUTING (policy ACCEPT)
>>>> target     prot opt source               destination
>>>>           tcp  --  anywhere             165.236.149.5
>>>>
>>>> Chain POSTROUTING (policy ACCEPT)
>>>> target     prot opt source               destination
>>>> TCPMSS     tcp  --  anywhere             anywhere            tcp
>>>> flags:SYN,RST/SYN TCPMSS clamp to PMTU
>>>> MASQUERADE  all  --  10.10.0.0/24        !10.10.0.0/24
>>>>
>>>> Chain OUTPUT (policy ACCEPT)
>>>> target     prot opt source               destination
>>>>
>>>> Hope someone can help with this.
>>>> --gt
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>> _______________________________________________
>> Firewall mailing list
>> Firewall at lists.btito.net
>> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>
> --
> Arno van Amersfoort
> E-mail    : arnova at rocky.eld.leidenuniv.nl
> Donations are welcome through Paypal!
> ---------------------------------------------------------------------------
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>
> _______________________________________________
> Firewall mailing list
> Firewall at lists.btito.net
> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>




More information about the Firewall mailing list