[Firewall] forwarding doesn't work

Andy andy at thebmwz3.co.uk
Wed Oct 4 15:22:02 MDT 2006


Hi!

With it being direct ethernet to the internet, is this a form of LES10 
or LES100 circuit by any chance?
In which case you should do some tests using iperf and then check your 
MTU, as on ethernet links link this it can sometimes cause some severe 
loss of service. I'm assuming with another laptop/test PC with no 
firewall the problem goes away?

Regards,
Andy
http://www.thebmwz3.co.uk



Greg Talbot wrote:
> I tried the NO_PMTU_DISCOVERY=1 but to no avail.  So I upgraded to the RC
> and its getting better.  Now I can pass packets through the firewall, but
> it is slow as a 286.
> 
> A tcpdump on the forwarding port of the firewall shows that it is not
> getting arp responses back from the host all the time.
> Where as before the packets were not passing through the firewall at all.
> 
> Some notes are that this machine has a direct connection to the Internet
> via ethernet, so no dsl at all.
> 
> Anyone want to guess on this?  NIC driver?
> 
> thx
> --gt
> 
> 
> 
> 
> 
>> I think the problem is not in the firewall nor the gateway. I'm
>> guessing, as we had many people here before with this type of issue,
>> that it is a configuration error on the LAN host you're forwarding to.
>> Maybe running iptraf on the target host could give some more info on
>> whether the packets arrive at the LAN host...
>>
>> Lányi Róbert wrote:
>>> In my conf, NO_PMTU_DISCOVERY was set to 0 by default, so I set SET_MSS
>>> to 0... Then I tried to set PMTU to 1 but the problem isn't gone... :(
>>>
>>> When I connect to a filtered port, I get "Connection attempt" lines, but
>>> connecting to forwarded ports simply show nothing...
>>>
>>> Rob.
>>>
>>> Arno van Amersfoort wrote:
>>>
>>>> I now recall that I've seen this problem before. It seems to be a
>>>> combination of a crappy ADSL modem + Linux TCP/IP. Could you guys try
>>>> to
>>>> disable TCP MSS clamping (SET_MSS=0) and/or disable PMTU auto discovery
>>>> (NO_PMTU_DISCOVERY=0). Also please the firewall logs for any strange
>>>> things and let me know your findings.
>>>>
>>>> a.
>>>>
>>>> Greg Talbot wrote:
>>>>
>>>>
>>>>> I am having teh same problem.  I have even tried a custom script, on 2
>>>>> different versions of your script, and I cant get forwarding to work.
>>>>>
>>>>> I inserted,
>>>>> /sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -d 165.236.149.5
>>>>>                 --dport 88 -j DNAT --to 10.10.0.66:80
>>>>> /sbin/iptables -A FORWARD -p tcp -i eth0 -d 10.10.0.66 --dport 80 -j
>>>>> ACCEPT
>>>>>
>>>>> and when I look at the tables,
>>>>>
>>>>> iptables -L -t nat
>>>>> Chain PREROUTING (policy ACCEPT)
>>>>> target     prot opt source               destination
>>>>>           tcp  --  anywhere             165.236.149.5
>>>>>
>>>>> Chain POSTROUTING (policy ACCEPT)
>>>>> target     prot opt source               destination
>>>>> TCPMSS     tcp  --  anywhere             anywhere            tcp
>>>>> flags:SYN,RST/SYN TCPMSS clamp to PMTU
>>>>> MASQUERADE  all  --  10.10.0.0/24        !10.10.0.0/24
>>>>>
>>>>> Chain OUTPUT (policy ACCEPT)
>>>>> target     prot opt source               destination
>>>>>
>>>>> Hope someone can help with this.
>>>>> --gt
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Firewall mailing list
>>> Firewall at lists.btito.net
>>> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>> --
>> Arno van Amersfoort
>> E-mail    : arnova at rocky.eld.leidenuniv.nl
>> Donations are welcome through Paypal!
>> ---------------------------------------------------------------------------
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>>
>> _______________________________________________
>> Firewall mailing list
>> Firewall at lists.btito.net
>> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>>
> 
> 
> _______________________________________________
> Firewall mailing list
> Firewall at lists.btito.net
> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl




More information about the Firewall mailing list