# Gentoo router, computers cannot access websites but get inet

## maiku

The server is configured as a router however all machines in the network get an official IP, can resolve DNS, ping, access the internet in other ways (such as SSH) but the computers on the network cannot access websites or SSL websites.  The server itself can access websites and as a workaround I set up squid as a transparent proxy, but SSL sites still won't work.

Configurations:

/etc/sysctl.conf *Quote:*   

> # Disables packet forwarding
> 
> net.ipv4.ip_forward = 1
> 
> # Disables IP dynaddr
> ...

  *Quote:*   

> overflow ~ # iptables -L -v
> 
> Chain INPUT (policy DROP 1548 packets, 243K bytes)
> 
>  pkts bytes target     prot opt in     out     source               destination
> ...

  *Quote:*   

> overflow ~ # iptables -L -v -t nat
> 
> Chain PREROUTING (policy ACCEPT 2042 packets, 304K bytes)
> 
>  pkts bytes target     prot opt in     out     source               destination
> ...

 Is there anything that would be preventing the internet from working?

----------

## gerdesj

To be honest I have long lost the ability to real iptables -L  !

If the clients can ping and use ssh then routing etc is OK.

How do you connect to the internet?

What are you using to configure your firewall?  

Oh and trust me - the Internet is working fine  :Cool: 

----------

## maiku

Webmin takes care of the iptables firewalll configuration.  Here are the rules it outputs: *Quote:*   

> Incoming packets (INPUT)
> 
> Select all. | Invert selection.
> 
> 	Action 	Condition 	Move 	Add
> ...

 And for nat: *Quote:*   

> Packets before routing (PREROUTING)
> 
> Select all. | Invert selection.
> 
> 	Action 	Condition 	Move 	Add
> ...

 

----------

## Hu

Please post the output of iptables-save -c.  Also, emerge net-analyzer/tcpdump and start a capture on both the internal and external interfaces.  Attempt a connection from an internal system to an external host on port 80.  Stop the captures and post the results here.

----------

## DarKRaveR

As someone asked dbefore: How do you connect to the internet?

Could be a MSS/PMTU problem by any chance? because all the other stated protocols usually don't come close to exceding the MSS ...

----------

## maiku

We connect using a cable modem.  I did plug the cable modem directly into a system and I was able to get the internet (and HTTPS sites).  Here is *Quote:*   

> overflow ~ # iptables-save -c
> 
> # Generated by iptables-save v1.3.8 on Thu Apr 10 11:55:08 2008
> 
> *raw
> ...

 I will work on the TCP dump.  I have a ridiculous amount of things falling on my head and this issue is confusing me enough.

Thanks mate!

----------

## Simba7

 *maiku wrote:*   

> /etc/sysctl.conf
> 
> # Disables packet forwarding
> 
> net.ipv4.ip_forward = 1
> ...

 

Cable modem, right? You need to enable net.ipv4.ip_dynaddr.

----------

## maiku

 *Quote:*   

> overflow ~ # echo 1 > /proc/sys/net/ipv4/ip_dynaddr
> 
> overflow ~ # cat /proc/sys/net/ipv4/ip_dynaddr
> 
> 1

 Still no go.

----------

## maiku

tcpdump says: (when accessing gmail.com)

Out: *Quote:*   

> overflow ~ # cat eth0 | grep -i google
> 
> 12:49:43.103900 IP ool-457b840d.dyn.optonline.net.3276 > qb-in-f147.google.com.https: F 3815223198:3815223198(0) ack 3488616351 win 65535
> 
> 12:49:43.103954 IP ool-457b840d.dyn.optonline.net.46136 > qb-in-f19.google.com.http: S 3933949849:3933949849(0) win 2144 <mss 536,sackOK,timestamp 1834430[|tcp]>
> ...

 and internal net eth *Quote:*   

> overflow ~ # cat eth1 | grep -i google
> 
> 12:53:32.344551 IP 192.168.1.103.3275 > qb-in-f17.google.com.http: R 1795976113:1795976113(0) ack 3295667601 win 0
> 
> 12:53:37.745675 IP 192.168.1.103.3274 > qb-in-f19.google.com.http: F 2542460982:2542460982(0) ack 3293901137 win 64467
> ...

 

----------

## gentoo_ram

Are you using DHCP to configure your external interface, or do you have it statically set?  The reason I ask is that dhcpcd running on my external link to my cable modem provider gets a bad interface MTU value (576) via DHCP.  I had to set the 'nomtu' flag on my DHCP options for my external interface to keep the MTU at 1500.

When the MTU is too small, then some packets won't get through, but some will.  It might explain your situation.  Things appear to work, but some things don't.  When the packet size exceeds the MTU, they appear to get dropped by the Linux kernel during routing in my experience.  Web surfing and e-mail would be examples of things that would probably use larger packets.  Ping, telnet, and SSH generally have smaller IP packets involved.

Use the ifconfig command to look at the MTU of your interfaces.  The ethernet interfaces should all have an MTU of 1500.

----------

## maiku

Aha!  That works!  There was a value in /etc/conf.d/net that was commented out (mtu_eth0="1500").  Uncommenting that made it works.  The strange thing is, I have the same internet here with the same server setup and I know another computer that has the exact same also.  Ours both has an MTU value of 576 and it's fine.  But this server has to be 1500 or it doesn't work.  How can this be?

----------

## gentoo_ram

I can think of 2 scenarios.

1.  Not all of the MTUs for the interfaces you're forwarding packets are the same.  Let's say your 'internal' interface had an MTU of 1500 and the external had an interface of 576.  Then the internal computer could send IP packets up to the limit.  From what I have seen, the Linux kernel will not fragment IP packets when fowarding.  So those larger packets will get dropped and the data is lost.   More dedicated routers (Cisco, etc) are capable of fragmenting packets to make everything work.

2.  There's some issue in the kernel.  Maybe there's some code in the kernel that expects the MTU to be 1500 and when it isn't, things go bad.  I have no idea this is the case or not.  But it's possible.

----------

## maiku

I wonder if it is a kernel issue.  The only difference in the servers, really, is the versions of the kernel and iptables.

----------

