iptables blocks access to some websites?

Hello,

I have a problem where only some websites are inaccessible via
browser. When I turned off iptables completely to check, the websites
were accessible.

I found something related to MTU, PPTP and this iptables rule:

-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu

I went ahead and put it in even though I am not doing anything related
to VPN/PPTP. I reduced the MTU on both the client (Windows machine)
and the NIC on the Linux system to 1280. It still does not work.

Any ideas on what methods/iptables rule I need to use to correct this
problem? Any FAQs somewhere that may already have the answer?

Thanks,

Guru

Gururajan Ramachandran wrote:
> Hello,
>
> I have a problem where only some websites are inaccessible via
> browser. When I turned off iptables completely to check, the websites
> were accessible.
>
> I found something related to MTU, PPTP and this iptables rule:
>
> -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
> --clamp-mss-to-pmtu

You should not need this unless you are trying to connect to some
very strange sites, I don't think it's a very useful rule.

>
> I went ahead and put it in even though I am not doing anything related
> to VPN/PPTP. I reduced the MTU on both the client (Windows machine)
> and the NIC on the Linux system to 1280. It still does not work.
>
> Any ideas on what methods/iptables rule I need to use to correct this
> problem? Any FAQs somewhere that may already have the answer?

It would help a lot if you can use ethereal to sniff and trace the
connections to the problematic sites, and see what's really happening,
also you can use -j LOG rules to log the iptables behaviour with this
sites. With that information you can find a more suitable solution.

>
> Thanks,
>
> Guru


--

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
(E-Mail Removed)
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"

In article <(E-Mail Removed)> ,
Gururajan Ramachandran wrote:
>Hello,
>
>I have a problem where only some websites are inaccessible via
>browser. When I turned off iptables completely to check, the websites
>were accessible.

So, run a sniffer like tcpdump, and see what the packets are saying.

>I found something related to MTU,

Is your firewall blocking ICMP Type 3 Code 4 inbound? See RFC2923

2923 TCP Problems with Path MTU Discovery. K. Lahey. September 2000.
(Format: TXT=30976 bytes) (Status: INFORMATIONAL)

Briefly, many sites use Path MTU discovery to find out what is the
largest (therefore most efficient) packet size they can use to send
you data. They do this by trying to send test packets of specific sizes
with the "Don't Fragment" header flag set. If the MTU on a segment is
smaller than this packet, an ICMP Type 3 Code 4 error (Fragmentation
needed, but don't fragment bit set) is returned, and the sending host
tries a smaller packet. Lather, Rinse, Repeat. Only when the maximum
size is determined will actual data transfer start.

>I reduced the MTU on both the client (Windows machine)
>and the NIC on the Linux system to 1280. It still does not work.

Might actually make things worse if you are blocking ICMP - many of
the hosts on the Internet default to 1500, although PPPoX needs that
reduced to 1492 to allow for the ppp header.

Old guy