Hello,
I would like to setup the following network configuration.
DSL Router <-> Firewall Router <-> Clients
I use static IPs, DHCP is disabled everywhere.
DSL Router
----------
- IP: 192.168.1.2
- does all NAT stuff, integrated DNS Server
- Route for network 192.168.0.0 set to 192.168.1.1
Firewall Router
---------------
- Linux machine with iptables firewall
- NIC connected with DSL Router: 192.168.1.1
- NIC connected with Clients : 192.168.0.20
Clients
-------
All in 192.168.0.0 network
Default Gateway: 192.168.0.20
DNS entry: 192.168.1.2 and other
I can't establish a connection, for instance for http. Currently the
firewall has no rules which drop packets, so this should not cause the
error:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
I logged traffic with tcpdump at eth0 and eth1 in the firewall router.
Perhaps somebody can find out the problem. Traffic was logged while trying
to access an url
www.spiegel.de.
eth0:
21:56:13.217316 192.168.1.2.53 > 192.168.0.2.1026: 2702 4/0/0 CNAME[|domain]
21:56:13.225296 192.168.0.2.1161 > 213.200.97.168.80: S
3917602455:3917602455(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:17.225336 192.168.0.2.1161 > 213.200.97.168.80: S
3917602455:3917602455(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:19.205192 arp who-has 192.168.0.2 tell 192.168.0.20
21:56:19.225350 192.168.0.2.1163 > 195.71.11.67.80: S
3263991039:3263991039(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:19.355293 arp reply 192.168.0.2 is-at <mac>
21:56:21.355341 192.168.0.2.1163 > 195.71.11.67.80: S
3263991039:3263991039(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:22.245295 192.168.0.2.1161 > 213.200.97.168.80: S
3917602455:3917602455(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:27.245343 192.168.0.2.1163 > 195.71.11.67.80: S
3263991039:3263991039(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:35.245363 192.168.0.2.1165 > 213.200.97.166.80: S
3719467109:3719467109(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
21:56:38.245367 192.168.0.2.1165 > 213.200.97.166.80: S
3719467109:3719467109(0) win 16384 <mss 1432,nop,nop,sackOK> (DF)
eth1:
21:55:18.658322 192.168.1.2.53 > 192.168.0.2.1026: 63104 4/0/0
CNAME[|domain]
21:55:24.585228 arp who-has 192.168.1.2 tell 192.168.1.1
21:55:24.585590 arp reply 192.168.1.2 is-at <mac>
Do I have a mtu problem? I integrated this line for iptables:
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
No success.
I also tried to vary the mtu of the firewall NICs 1500 / 1472 / 1432: no
success.
What else could be the reason?
Thomas
Similar Threads
Linear Mode
