weird iptables behaviour

Hello,
I've got a strange problem with IP Masquerade:
PC1 is connected to internet and PC2 uses PC1
as the gateway.
From PC2 i can ping and even traceroute any URL
(for example ping and traceroute www.wikipedia.org
works great) but i can open very few web pages.
I only can see there 3 sites:
www.mozilla.org www.beppegrillo.it www.google.com
but I can't open for example www.yahoo.com and much more.
More than that is I can use skype from PC2, so I absolutely
don't have a clue about what to do.
This is my network's diagram:

[INTERNET]<-->(eth0)[PC1](eth1)<--->(eth0)[PC2]

On PC1:
eth0: 192.168.0.1 (with a cable to the modem)
eth1: 192.168.1.1 (with a crossed cable to PC2)

On PC2:
eth0: 192.168.1.2 (with a crossed cable to PC1)

iptables is configured via the following script:

-------- START SCRIPT -----------
#!/bin/bash
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp ip_nat_ftp
modprobe iptable_nat
modprobe ipt_MASQUERADE
# Load the most important modules (NAT e MASQUERADE are mandatory!)
#.....
#.....

echo '0' > /proc/sys/net/ipv4/ip_forward
# No IP forward for now...

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Add a rule to the postrouting chain
# every packet going out through ppp0 must be masked

iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# accept every packet that belongs to connections already
# established or related to them

iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT
# accept the traffic generated by the local net

iptables -A FORWARD -j DROP
# anything else is dropped

echo '1' > /proc/sys/net/ipv4/ip_forward
# now we can forward the connection

---------- END SCRIPT -------------

this is the result of /sbin/ifconfig

------------ /sbin/ifconfig---------------
eth0 Link encap:Ethernet HWaddr 00:40:F4:97:AD:B0
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::240:f4ff:fe97:adb0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5324543 errors:0 dropped:0 overruns:0 frame:0
TX packets:6272147 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3141935438 (2.9 GiB) TX bytes:4170449394 (3.8 GiB)
Interrupt:17 Base address:0xf00

eth1 Link encap:Ethernet HWaddr 00:20:ED:28:F2:6A
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::220:edff:fe28:f26a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7435 errors:0 dropped:0 overruns:0 frame:0
TX packets:6390 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1263495 (1.2 MiB) TX bytes:5152233 (4.9 MiB)
Interrupt:17 Base address:0x2e00

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:11152 errors:0 dropped:0 overruns:0 frame:0
TX packets:11152 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:655844 (640.4 KiB) TX bytes:655844 (640.4 KiB)

ppp0 Link encap:Point-to-Point Protocol
inet addr:XXX.XXX.XXX.XXX P-t-P:XXX.XXX.XXX.XXX
Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST
MTU:1492 Metric:1 RX packets:1494583 errors:0 dropped:0
overruns:0 frame:0 TX packets:1686118 errors:0 dropped:0
overruns:0 carrier:0 collisions:0 txqueuelen:3 RX
bytes:988981980 (943.1 MiB) TX bytes:825238709 (787.0 MiB)

-------------------- end /sbin/ifconfig ------------------

Why I can see only few sites and ping them all? It makes non sense to me.
I hope somebody can help me, thank you in advance,
Fabio

On 24 Nov 2006 00:48:55 GMT, Fabio <nsafve_DELETE_ME_@tin.it> wrote:

>I've got a strange problem with IP Masquerade:
>PC1 is connected to internet and PC2 uses PC1
>as the gateway.
>From PC2 i can ping and even traceroute any URL
>(for example ping and traceroute www.wikipedia.org
>works great) but i can open very few web pages.
>I only can see there 3 sites:
>www.mozilla.org www.beppegrillo.it www.google.com
>but I can't open for example www.yahoo.com and much more.
>More than that is I can use skype from PC2, so I absolutely
>don't have a clue about what to do.

Would it be you're not clamping MTU? I have ('egress' is called from
FORWARD chain, MAX_MSS="1380" here):

# clamp MTU for new TCP connections to world
if [ -n "$MAX_MSS" ]
then
iptables -A egress -p tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --set-mss $MAX_MSS
else
iptables -A egress -p tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --clamp-mss-to-pmtu
fi

Grant.
--
http://bugsplatter.mine.nu/

On Fri, 24 Nov 2006 13:13:16 +1100, Grant wrote:

> On 24 Nov 2006 00:48:55 GMT, Fabio <nsafve_DELETE_ME_@tin.it> wrote:
>
>>I've got a strange problem with IP Masquerade:
>>PC1 is connected to internet and PC2 uses PC1
>>as the gateway.
>>From PC2 i can ping and even traceroute any URL
>>(for example ping and traceroute www.wikipedia.org
>>works great) but i can open very few web pages.
>>I only can see there 3 sites:
>>www.mozilla.org www.beppegrillo.it www.google.com
>>but I can't open for example www.yahoo.com and much more.
>>More than that is I can use skype from PC2, so I absolutely
>>don't have a clue about what to do.
>
> Would it be you're not clamping MTU? I have ('egress' is called from
> FORWARD chain, MAX_MSS="1380" here):
>
> # clamp MTU for new TCP connections to world
> if [ -n "$MAX_MSS" ]
> then
> iptables -A egress -p tcp --tcp-flags SYN,RST SYN \
> -j TCPMSS --set-mss $MAX_MSS
> else
> iptables -A egress -p tcp --tcp-flags SYN,RST SYN \
> -j TCPMSS --clamp-mss-to-pmtu
> fi
>
> Grant.
Thak you for your help Grant,
I've created a new chain called "egress" with iptables -N egress, then
I've added the clamp part to my script and added
the optiont -v to iptables, and now i get:

root@darkstar:~# sh condivis
MASQUERADE all opt -- in * out ppp0 0.0.0.0/0 -> 0.0.0.0/0
ACCEPT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all opt -- in * out * 192.168.1.0/24 -> 0.0.0.0/0
DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0
TCPMSS tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS set 1380
root@darkstar:~#

Anyway i get the same problem:
ping all, watch fews
I've tryied the bing the MTU values of the eth devices to 1380
and the valute of ppp0 (in /etc/ppp/options) to 1412
(1412 is suggested by pppoe-setup), but i didn't resolve
the problem, i really don't know what to do
thank you for your help
Fabio

Fabio wrote:

> iptables is configured via the following script:

> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

> iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

> iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT

> iptables -A FORWARD -j DROP

Erm.. okay, but that's not quite all, is it ?
On PC1, *everything* is dropped - assuming you set the INPUT policy to DENY,
as you should.

You filter this shit on INPUT, *not* FORWARD.
In your situation, FORWARD is a trivial case, only interesting in and of
itself when PC1 is a *pure* router, which it isn't.

Assuming you have set DENY on INPUT and ACCEPT on OUTPUT, your effective
rules will now be:

INPUT all interfaces, *including* the internet from PC1, DENY ALL
OUTPUT all interfaces, ACCEPT ALL
FORWARD all interfaces, ACCEPT from 192.168.1.x, DENY the rest.

If you have set ACCEPT on INPUT, on the other hand, you have zero actual
security.

Your PC1 is wide open to the Intarweb in that case.

Change the FORWARD to INPUT in your ruleset and you should be good.


--
All your bits are belong to us.

On Fri, 24 Nov 2006 22:13:09 +0100, Jeroen Geilman wrote:

> Fabio wrote:
>
>> iptables is configured via the following script:
>
>> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>
>> iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>
>> iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT
>
>> iptables -A FORWARD -j DROP
>
> Erm.. okay, but that's not quite all, is it ?
> On PC1, *everything* is dropped - assuming you set the INPUT policy to DENY,
> as you should.
>
> You filter this shit on INPUT, *not* FORWARD.
> In your situation, FORWARD is a trivial case, only interesting in and of
> itself when PC1 is a *pure* router, which it isn't.
>
> Assuming you have set DENY on INPUT and ACCEPT on OUTPUT, your effective
> rules will now be:
>
> INPUT all interfaces, *including* the internet from PC1, DENY ALL
> OUTPUT all interfaces, ACCEPT ALL
> FORWARD all interfaces, ACCEPT from 192.168.1.x, DENY the rest.
>
> If you have set ACCEPT on INPUT, on the other hand, you have zero actual
> security.
>
> Your PC1 is wide open to the Intarweb in that case.
>
> Change the FORWARD to INPUT in your ruleset and you should be good.
>
>

Sorry, I think I didn't undestand well,
this is the script I use to make masquerade:

---- START SCRIPT---------
#!/bin/sh
iptables="/sbin/iptables"
MAX_MSS="1380"

modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp ip_nat_ftp
modprobe iptable_nat
modprobe ipt_MASQUERADE

iptables -v -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -v -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -v -A FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -v -A FORWARD -j DROP

# clamp MTU for new TCP connections to world
if [ -n "$MAX_MSS" ]
then
iptables -v -A egress -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $MAX_MSS
else
iptables -v -A egress -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
fi

echo '1' > /proc/sys/net/ipv4/ip_forward

------- END SCRIPT -----------


And here you can see the iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 10.0.0.0/24 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain egress (0 references)
target prot opt source destination
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp \
flags:0x06/0x02 TCPMSS set 1380



and this is iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


I can't undestand why I can see, let say www.google.com from
the localnet, and i can't open www.yahoo.com

Hope You can help me,
thank you in advance
Fabio

On Sat, 25 Nov 2006 02:05:21 +0000, Fabio wrote:

> On Fri, 24 Nov 2006 22:13:09 +0100, Jeroen Geilman wrote:
>
>> Fabio wrote:
>>
>>> iptables is configured via the following script:
>>
>>> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>>
>>> iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>>
>>> iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT
>>
>>> iptables -A FORWARD -j DROP
>>
>> Erm.. okay, but that's not quite all, is it ?
>> On PC1, *everything* is dropped - assuming you set the INPUT policy to DENY,
>> as you should.
>>
>> You filter this shit on INPUT, *not* FORWARD.
>> In your situation, FORWARD is a trivial case, only interesting in and of
>> itself when PC1 is a *pure* router, which it isn't.
>>
>> Assuming you have set DENY on INPUT and ACCEPT on OUTPUT, your effective
>> rules will now be:
>>
>> INPUT all interfaces, *including* the internet from PC1, DENY ALL
>> OUTPUT all interfaces, ACCEPT ALL
>> FORWARD all interfaces, ACCEPT from 192.168.1.x, DENY the rest.
>>
>> If you have set ACCEPT on INPUT, on the other hand, you have zero actual
>> security.
>>
>> Your PC1 is wide open to the Intarweb in that case.
>>
>> Change the FORWARD to INPUT in your ruleset and you should be good.
>>
>>
>
> Sorry, I think I didn't undestand well,
> this is the script I use to make masquerade:
>
> ---- START SCRIPT---------
> #!/bin/sh
> iptables="/sbin/iptables"
> MAX_MSS="1380"
>
> modprobe ip_tables
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp ip_nat_ftp
> modprobe iptable_nat
> modprobe ipt_MASQUERADE
>
> iptables -v -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> iptables -v -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -v -A FORWARD -s 192.168.1.0/24 -j ACCEPT
> iptables -v -A FORWARD -j DROP
>
> # clamp MTU for new TCP connections to world
> if [ -n "$MAX_MSS" ]
> then
> iptables -v -A egress -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $MAX_MSS
> else
> iptables -v -A egress -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
> fi
>
> echo '1' > /proc/sys/net/ipv4/ip_forward
>
> ------- END SCRIPT -----------
>
>
> And here you can see the iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> ACCEPT all -- 10.0.0.0/24 0.0.0.0/0
> DROP all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain egress (0 references)
> target prot opt source destination
> TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp \
> flags:0x06/0x02 TCPMSS set 1380
>
>
>
> and this is iptables -L -t nat
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
>
> I can't undestand why I can see, let say www.google.com from
> the localnet, and i can't open www.yahoo.com
>
> Hope You can help me,
> thank you in advance
> Fabio

Sorry, i mistyped something,
now the localnet is 10.0.0.0 and all the scripts are
changed, but the problem reamin the same:
ping them all, open fews
Help me please!!! >
Fabio

Fabio <nsafve_DELETE_ME_@tin.it> wrote:
> Hello,
> I've got a strange problem with IP Masquerade:
> PC1 is connected to internet and PC2 uses PC1
> as the gateway.
> From PC2 i can ping and even traceroute any URL
> (for example ping and traceroute www.wikipedia.org
> works great) but i can open very few web pages.
> I only can see there 3 sites:
> www.mozilla.org www.beppegrillo.it www.google.com
> but I can't open for example www.yahoo.com and much more.
> More than that is I can use skype from PC2, so I absolutely
> don't have a clue about what to do.
> This is my network's diagram:

> [INTERNET]<-->(eth0)[PC1](eth1)<--->(eth0)[PC2]

> On PC1:
> eth0: 192.168.0.1 (with a cable to the modem)
> eth1: 192.168.1.1 (with a crossed cable to PC2)

> On PC2:
> eth0: 192.168.1.2 (with a crossed cable to PC1)

Try doing "ifconfig eth0 mtu 1492" on PC2.

> iptables is configured via the following script:

> -------- START SCRIPT -----------

An unusual script. I'd suggest instead,

---

#!/bin/bash
modprobe ip_tables
modprobe ipt_state
modprobe ip_conntrack
modprobe ip_conntrack_ftp ip_nat_ftp
modprobe iptable_nat
modprobe ipt_MASQUERADE
modprobe ipt_limit
modprobe ipt_LOG
#modprobe iptable_mangle

iptables -N no-conns-from-ppp0
iptables -A no-conns-from-ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A no-conns-from-ppp0 -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A no-conns-from-ppp0 -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
iptables -A no-conns-from-ppp0 -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
iptables -A no-conns-from-ppp0 -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A no-conns-from-ppp0 -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
#-j TCPMSS --clamp-mss-to-pmtu
iptables -A no-conns-from-ppp0 -i ppp0 -m limit -j LOG --log-prefix \
"Bad packet from ppp0:"
iptables -A no-conns-from-ppp0 -i ! ppp0 -m limit -j LOG --log-prefix \
"Bad packet not from ppp0:"
iptables -A no-conns-from-ppp0 -j DROP

iptables -A INPUT -j no-conns-from-ppp0
iptables -A FORWARD -j no-conns-from-ppp0

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

---

I've used the script but without mangle table PMTU clamping (commented
out) - so no guarantee on that. Most sites should be accessible with the
PC2 MTU set to 1492 and no clamping. And if you don't need/want pings
and ping-replies then the lines with icmp-type's 0 and 8 can be dropped.
The lines with other icmp-type's should remain as is. If LOGging becomes
annoying then just truncate the lines with -m limit in them starting at
-j LOG.

Just for the record, the core of this script was taken from one written
by Rusty Russell.
http://help.phys.unsw.edu.au/doc/HOW...ring-HOWTO.txt

--
Clifford Kite