# iptables + NAT + HTTP is not working [SOLVED]

## Darkshine

I have an iptables-based router (iptables 1.4.6) with the following rules to route traffic from LAN to Internet and vice versa.

eth2 - LAN

ppp0 - Internet

```
$ iptables-save

# Generated by iptables-save v1.4.6 on Sun Jan 24 02:34:56 2010

*raw

:PREROUTING ACCEPT [1088939347:342713552601]

:OUTPUT ACCEPT [1224472212:1380602284298]

COMMIT

# Completed on Sun Jan 24 02:34:56 2010

# Generated by iptables-save v1.4.6 on Sun Jan 24 02:34:56 2010

*nat

:PREROUTING ACCEPT [123755:16989791]

:POSTROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [3553:211984]

-A POSTROUTING -o ppp0 -j MASQUERADE

-A POSTROUTING -o ppp0 -j LOG --log-prefix "iptables: <POSTROUTING> "

COMMIT

# Completed on Sun Jan 24 02:34:56 2010

# Generated by iptables-save v1.4.6 on Sun Jan 24 02:34:56 2010

*mangle

:PREROUTING ACCEPT [1088939237:342713561813]

:INPUT ACCEPT [905797203:256303132748]

:FORWARD ACCEPT [163882622:83918384868]

:OUTPUT ACCEPT [1224472244:1380602299093]

:POSTROUTING ACCEPT [1389060241:1464642006504]

COMMIT

# Completed on Sun Jan 24 02:34:56 2010

# Generated by iptables-save v1.4.6 on Sun Jan 24 02:34:56 2010

*filter

:INPUT ACCEPT [72786690:19591750967]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [88701030:86145347993]

-A FORWARD -i eth2 -o ppp0 -j LOG --log-prefix "iptables: <FWD eth2 ppp0> "

-A FORWARD -i ppp0 -o eth2 -j LOG --log-prefix "iptables: <FWD ppp0 eth2> "

-A FORWARD -i eth2 -o ppp0 -j ACCEPT

-A FORWARD -i ppp0 -o eth2 -j ACCEPT

COMMIT

# Completed on Sun Jan 24 02:34:56 2010

```

Just 3 simple rules to route traffic and all works fine except HTTP protocol: I am unable to visit web sites from LAN. The process of openning sites hangs. Here are my findings.

1. When I'm trying to open a site from local machine, the connection with remote web-server is established successfully (I see it via "netstat" output). This connection keeps "ESTABLISHED" state for a long time until browser said "cannot open a web-page" and the web page is not loaded.

2. It is a log from iptables when I'm trying to open a web page from local machine (10.101.3.42 is a local IP):

```
Jan 24 02:45:58 faust iptables: <FWD eth2 ppp0> IN=eth2 OUT=ppp0 SRC=10.101.3.42 DST=80.68.240.84 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=4890 DF PROTO=TCP SPT=1504 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

Jan 24 02:45:58 faust iptables: <FWD ppp0 eth2> IN=ppp0 OUT=eth2 SRC=80.68.240.84 DST=10.101.3.42 LEN=48 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=TCP SPT=80 DPT=1504 WINDOW=5840 RES=0x00 ACK SYN URGP=0

Jan 24 02:45:58 faust iptables: <FWD eth2 ppp0> IN=eth2 OUT=ppp0 SRC=10.101.3.42 DST=80.68.240.84 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4895 DF PROTO=TCP SPT=1504 DPT=80 WINDOW=65535 RES=0x00 ACK URGP=0

Jan 24 02:45:58 faust iptables: <FWD eth2 ppp0> IN=eth2 OUT=ppp0 SRC=10.101.3.42 DST=80.68.240.84 LEN=586 TOS=0x00 PREC=0x00 TTL=127 ID=4896 DF PROTO=TCP SPT=1504 DPT=80 WINDOW=65535 RES=0x00 ACK PSH URGP=0

Jan 24 02:45:58 faust iptables: <FWD ppp0 eth2> IN=ppp0 OUT=eth2 SRC=80.68.240.84 DST=10.101.3.42 LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=18223 DF PROTO=TCP SPT=80 DPT=1504 WINDOW=6552 RES=0x00 ACK URGP=0

```

At the same all other protocols are routed without any problems. Also I can browse Internet from the router.

I tried to load web pages from 3 local machines (2 WinXP and 1 Windows7) - the behaviour is the same on all of them. 

I suspect that this issue can be caused by a kernel upgrade from 2.6.24 to 2.6.31 because before this upgrade all was fine.

Please, adviseLast edited by Darkshine on Mon Jan 25, 2010 12:17 am; edited 1 time in total

----------

## d2_racing

Hi, do you have a bash file that contains all your iptables rules, because I prefer that format to debug ?

----------

## d2_racing

I wrote that one if it help : http://www.gentoo-quebec.org/wiki/index.php/Utilisation_de_Iptables_pour_d%C3%A9butant_mode_parano

----------

## jathlon

Seems you can't use markup code in the Code: sections so I just separated the interesting bit out.

 *Darkshine wrote:*   

> 
> 
> ```
> 
> # Generated by iptables-save v1.4.6 on Sun Jan 24 02:34:56 2010
> ...

 

Your default FORWARD policy is ACCEPT.  That means iptables is going to forward without question to any interface, from any interface.  Is that really what you want?  So with the exception of the logging rules the rest of your forwarding rules are redundant.  

Your default INPUT/OUTPUT policies are ACCEPT as well.  That's a whole other can of worms but not what you are asking about.  :Smile: 

The only thing I can think of is, did you do the;

```
~ # echo 1 > /proc/sys/net/ipv4/ip_forward
```

Did you do it right?  Double check it. 

```
~ $ more /proc/sys/net/ipv4/ip_forward

1

~ $

```

Nice little guide on the www.gentoo.org site for setting up your home router;

http://www.gentoo.org/doc/en/home-router-howto.xml

Good luck,

j

----------

## Hu

If IP forwarding were not enabled, no traffic would pass.  The connection would not reach ESTABLISHED.

MASQUERADE is a terminating action, so the LOG in POSTROUTING will never be reached.

My guess is that you need to clamp the MSS to PMTU.  Search man iptables for criminally braindead to find the details.

----------

## jathlon

[quote="Hu"]If IP forwarding were not enabled, no traffic would pass.  The connection would not reach ESTABLISHED.

Whoops missed that bit.  Thank you for pointing it out.

----------

## Darkshine

 *Quote:*   

> My guess is that you need to clamp the MSS to PMTU. Search man iptables for criminally braindead to find the details.

 

Thank you all, the issue seems to be solved. As Hu said, the problem probably was in "criminally braindead ISPs". Below are the steps I've done to solve the issue:

1. Set in kernel's config: NETFILTER_XT_TARGET_TCPMSS=m

2. Build kernel and install modules:

    $ cd /usr/src/linux && make && make modules_install

3. Load module: xt_TCPMSS

    $ modprobe -a xt_TCPMSS

4. Add rule:

    $ iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

5. It works.

----------

