iptables router 'blocks' some websites ?

Hi,


I have a strange Problem with my SuSE 9.1 router:

everything generally seems to work fine: pop / imap /web works fine
from inside my LAN except:
I cannot view some websites (e.g slashdot and some others ) from any
workstation inside my lan.
when i ssh my router and use w3m to access - say slashdot - from my
router, it works. So I gues its not a DNS prob, right ?

I reduced my iptables config to:

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

( ppp0 does pptp )

I echoed 1 into IP_DYNADDR and IP_FORWARD.

( might it have something to do with a HTTP 301 response or so ? )

I'm shure to miss a silly point but since I didn't get it for a time,
I now ask for help.
Any Ideas ?
tia

On Mon, 14 Jun 2004 13:31:58 -0700, (E-Mail Removed) wrote:

> I have a strange Problem with my SuSE 9.1 router:
>
> everything generally seems to work fine: pop / imap /web works fine
> from inside my LAN except:
> I cannot view some websites (e.g slashdot and some others ) from any
> workstation inside my lan.
> when i ssh my router and use w3m to access - say slashdot - from my
> router, it works.

Try disableing ECN (explicit congestion notification).

Ie: "sysctl -w net.ipv4.tcp_ecn=0"
or: "echo '0' >/proc/sys/net/ipv4/tcp_ecn" .

> So I gues its not a DNS prob, right ?

Probably not. But shouldn't hurt to run: "host", "dig" and/or "nslookup"
for the hell of it...

--
-Menno.

(E-Mail Removed) <(E-Mail Removed)> wrote:

> I have a strange Problem with my SuSE 9.1 router:

> everything generally seems to work fine: pop / imap /web works fine
> from inside my LAN except:
> I cannot view some websites (e.g slashdot and some others ) from any
> workstation inside my lan.
> when i ssh my router and use w3m to access - say slashdot - from my
> router, it works. So I gues its not a DNS prob, right ?

Right.

> I reduced my iptables config to:

> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

> ( ppp0 does pptp )

What follows is a kind of recipe which might provide a cure for the
problem. However, it was generated by one who is *not* a networking
protocols expert (me). It may or may not help.

I'm not at all familiar with PPTP. But if it has a MTU, and it's smaller
than the PPP interface MTU, then try setting the PPP interface MTU to
the same value as the smaller PPTP MTU.

If the problem still exists or PPTP doesn't have an MTU, then configure
the interface MTU of some host on the LAN to the same value as the PPP
interface MTU, keeping the PPP interface MTU change suggested above if
applicable. If the problem goes away for that host then the problem is
very likely that an ICMP message essential to PMTU Discovery is blocked
somewere along the path.

Make sure "TCPMSS target support" is configured in the kernel and use
iptables. See man iptables for a colorful description of the entities
responsible for the problem and an example iptables configuration to
work around it; search for TCPMSS.

If it doesn't go away then hope that the other poster's suggestion about
ECN is correct, or that someone else has another suggestion.

> I echoed 1 into IP_DYNADDR and IP_FORWARD.

> ( might it have something to do with a HTTP 301 response or so ? )

Dunno enough about HTTP to answer the question.

--
Clifford Kite Email: "echo xvgr_yvahk-(E-Mail Removed)|rot13"
PPP-Q&A links, downloads: http://ckite.no-ip.net/
/* On Linux be root, on Windows reboot.
-Josef Müllers */

Menno Duursma <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>.. .
> On Mon, 14 Jun 2004 13:31:58 -0700, (E-Mail Removed) wrote:
>
> > I have a strange Problem with my SuSE 9.1 router:
> >
> > everything generally seems to work fine: pop / imap /web works fine
> > from inside my LAN except:
> > I cannot view some websites (e.g slashdot and some others ) from any
> > workstation inside my lan.
> > when i ssh my router and use w3m to access - say slashdot - from my
> > router, it works.
>
> Try disableing ECN (explicit congestion notification).

Was already 0. Anyway thanks for this one; there's always one more
TCP/IP detail to learn...

I first though it might be some MTU-thing and set the MTU of eth0+1
down to 1400. MTU of ppp0 is 1280. Didn't help.

clueless again...



>
> Ie: "sysctl -w net.ipv4.tcp_ecn=0"
> or: "echo '0' >/proc/sys/net/ipv4/tcp_ecn" .
>
> > So I gues its not a DNS prob, right ?
>
> Probably not. But shouldn't hurt to run: "host", "dig" and/or "nslookup"
> for the hell of it...

that was it.
With MTU 1280 ( like pptp interface on router ) on the Client all
Connections work.

Thanks a lot u 2, I now start searching this 'PMTU Discovery' thing you
mentioned.

thanks again.



"Clifford Kite" <(E-Mail Removed)> schrieb im Newsbeitrag
news:(E-Mail Removed)...
> (E-Mail Removed) <(E-Mail Removed)> wrote:
>
> > I have a strange Problem with my SuSE 9.1 router:
>
> > everything generally seems to work fine: pop / imap /web works fine
> > from inside my LAN except:
> > I cannot view some websites (e.g slashdot and some others ) from any
> > workstation inside my lan.
> > when i ssh my router and use w3m to access - say slashdot - from my
> > router, it works. So I gues its not a DNS prob, right ?
>
> Right.
>
> > I reduced my iptables config to:
>
> > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>
> > ( ppp0 does pptp )
>
> What follows is a kind of recipe which might provide a cure for the
> problem. However, it was generated by one who is *not* a networking
> protocols expert (me). It may or may not help.
>
> I'm not at all familiar with PPTP. But if it has a MTU, and it's smaller
> than the PPP interface MTU, then try setting the PPP interface MTU to
> the same value as the smaller PPTP MTU.
>
> If the problem still exists or PPTP doesn't have an MTU, then configure
> the interface MTU of some host on the LAN to the same value as the PPP
> interface MTU, keeping the PPP interface MTU change suggested above if
> applicable. If the problem goes away for that host then the problem is
> very likely that an ICMP message essential to PMTU Discovery is blocked
> somewere along the path.
>
> Make sure "TCPMSS target support" is configured in the kernel and use
> iptables. See man iptables for a colorful description of the entities
> responsible for the problem and an example iptables configuration to
> work around it; search for TCPMSS.
>
> If it doesn't go away then hope that the other poster's suggestion about
> ECN is correct, or that someone else has another suggestion.
>
> > I echoed 1 into IP_DYNADDR and IP_FORWARD.
>
> > ( might it have something to do with a HTTP 301 response or so ? )
>
> Dunno enough about HTTP to answer the question.
>
> --
> Clifford Kite Email: "echo xvgr_yvahk-(E-Mail Removed)|rot13"
> PPP-Q&A links, downloads: http://ckite.no-ip.net/
> /* On Linux be root, on Windows reboot.
> -Josef Müllers */

if anyone still interested in: the missing iptables line was

iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j
TCPMSS --clamp-mss-to-pmtu


<(E-Mail Removed)> schrieb im Newsbeitrag news:can9lm$167q$(E-Mail Removed)...
> that was it.
> With MTU 1280 ( like pptp interface on router ) on the Client all
> Connections work.
>
> Thanks a lot u 2, I now start searching this 'PMTU Discovery' thing you
> mentioned.
>
> thanks again.
>
>
>
> "Clifford Kite" <(E-Mail Removed)> schrieb im Newsbeitrag
> news:(E-Mail Removed)...
> > (E-Mail Removed) <(E-Mail Removed)> wrote:
> >
> > > I have a strange Problem with my SuSE 9.1 router:
> >
> > > everything generally seems to work fine: pop / imap /web works fine
> > > from inside my LAN except:
> > > I cannot view some websites (e.g slashdot and some others ) from any
> > > workstation inside my lan.
> > > when i ssh my router and use w3m to access - say slashdot - from my
> > > router, it works. So I gues its not a DNS prob, right ?
> >
> > Right.
> >
> > > I reduced my iptables config to:
> >
> > > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> >
> > > ( ppp0 does pptp )
> >
> > What follows is a kind of recipe which might provide a cure for the
> > problem. However, it was generated by one who is *not* a networking
> > protocols expert (me). It may or may not help.
> >
> > I'm not at all familiar with PPTP. But if it has a MTU, and it's
smaller
> > than the PPP interface MTU, then try setting the PPP interface MTU to
> > the same value as the smaller PPTP MTU.
> >
> > If the problem still exists or PPTP doesn't have an MTU, then configure
> > the interface MTU of some host on the LAN to the same value as the PPP
> > interface MTU, keeping the PPP interface MTU change suggested above if
> > applicable. If the problem goes away for that host then the problem is
> > very likely that an ICMP message essential to PMTU Discovery is blocked
> > somewere along the path.
> >
> > Make sure "TCPMSS target support" is configured in the kernel and use
> > iptables. See man iptables for a colorful description of the entities
> > responsible for the problem and an example iptables configuration to
> > work around it; search for TCPMSS.
> >
> > If it doesn't go away then hope that the other poster's suggestion about
> > ECN is correct, or that someone else has another suggestion.
> >
> > > I echoed 1 into IP_DYNADDR and IP_FORWARD.
> >
> > > ( might it have something to do with a HTTP 301 response or so ? )
> >
> > Dunno enough about HTTP to answer the question.
> >
> > --
> > Clifford Kite Email: "echo xvgr_yvahk-(E-Mail Removed)|rot13"
> > PPP-Q&A links, downloads: http://ckite.no-ip.net/
> > /* On Linux be root, on Windows reboot.
> > -Josef Müllers */
>
>

(E-Mail Removed) wrote:
> if anyone still interested in: the missing iptables line was
>
> iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j
> TCPMSS --clamp-mss-to-pmtu

.... which is pretty much the online help You get when configuring Your
kernel for networking with netfilter (2.4.n).

Sorry, I didn't see Your question early enough to save You from trouble,
but I'm glad to hear You found it Yourself.


Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...