# iptables weird issue

## lorano

First off...

When I'm running iptables with masquerading only for the moment no other rules are in place. I have internet connectivity on my the windows desktop/laptop. The only problem is when I go to a site that requires authentication (Gmail being the most obvious one here) I can login, but I am served with a white screen after authentication. It doesn't display my mail box. Any ideas on what would cause this?

Secondly...

I've got multiple machines in the house and I'm trying to get my roomie and I off of sneaker net and onto our internal networks. I have in my living room an xbox and a myth box. I've got my room-mates connection through one NIC that is on the 172.27.70 subnet, my personal gear that is on the .68 subnet, and the xbox/myth box which is on yet a 3rd subnet. 

When I have just my internal and external connections running, I can get out to the internet. When I turn on any of the other subnets I can still get out on my internal but none of the other interfaces can get out. I've attempted to ping the interfaces, and those respond, but I can't get them to ping the gateway, or my external interface.

Here's a picture of the setup. Network Setup

I've tried manually adding routes which I'm pretty sure I'm not doing properly to allow the .69 and .70 subnets to get to the .68 when I do that I either lose connectivity or I get about a 30% packet loss. Any ideas?

Thirdly....

The xbox interface continually loses the MTU that I force onto it. Unfortunately to connect to xboxlive that interface needs to have an MTU Associatted with it. I've got a script that runs at boot-time that manually forces the MTU to 1482 which as I understand it is the correct setting but it loses that and the xbox is no longer able to detect the MTU.

----------

## Hu

Your first and third problems are likely related to inappropriate handling of ICMP Fragmentation Needed messages somewhere on the route between the client and server.  Run man iptables and read about the TCPMSS target.  If you agree that the symptoms it describes reflect your problems, add that target to your NAT device to fix the MSS on outgoing connections.

For your second problem, more information is required.  Please run iptables-save -c ; ip route ; ip addr on each of the Linux machines involved and post the output, annotated by originating machine.

----------

## lorano

Thanks for the reply!

That does indeed sound like the issue I'm having for 1 and 3. I'll post the output of that information once I return home tonight  :Smile: 

----------

## lorano

Alright, I fixed the routing problem. but the problem is still there with gmail. I can't login I get served with a blank page in firefox and with internet explorer I get

 Internet Explorer cannot display the webpage 

   Most likely causes:

You are not connected to the Internet. 

The website is encountering problems. 

There might be a typing error in the address. 

here's my mangle table straight out of the man page

```
 iptables -t mangle -L -v

Chain PREROUTING (policy ACCEPT 38566 packets, 16M bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 4833 packets, 884K bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 33419 packets, 15M bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 TCPMSS     tcp  --  any    any     anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 2473 packets, 364K bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 35892 packets, 15M bytes)

 pkts bytes target     prot opt in     out     source               destination
```

and nat

```
Chain PREROUTING (policy ACCEPT 4976 packets, 693K bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 1613 packets, 119K bytes)

 pkts bytes target     prot opt in     out     source               destination

  821 89575 SNAT       all  --  any    external  anywhere             anywhere            to:xxx.xxx.xxx.xxx

Chain OUTPUT (policy ACCEPT 243 packets, 21689 bytes)

 pkts bytes target     prot opt in     out     source               destination
```

And the Xbox detecting the MTU is still a problem. Not sure why....

I fixed the routing issue by bonding the 3 interfaces together and issuing IP's over the bond interface, worked great except the whole MTU not being there and not being able to retrieve my email :/

----------

## Hu

 *lorano wrote:*   

> 
> 
> Chain FORWARD (policy ACCEPT 33419 packets, 15M bytes)
> 
>  pkts bytes target     prot opt in     out     source               destination
> ...

 

Your rule is not being hit.  No packets have matched the rule, so it is not helping you.  I suspect that the way in which you are doing your routing has somehow defeated this fix, but I am not sure how yet.

What is the output of iptables-save -c ; cat /proc/sys/net/ipv4/ip_forward ; ip route ; ip addr?

----------

## lorano

iptables-save -c

# Generated by iptables-save v1.3.8 on Wed Dec 19 02:31:47 2007

*nat

:PREROUTING ACCEPT [3148:520033]

:POSTROUTING ACCEPT [397:40920]

:OUTPUT ACCEPT [301:24564]

[279:22033] -A POSTROUTING -o external -j SNAT --to-source XXX.XXX.XXX.XXX

COMMIT

# Completed on Wed Dec 19 02:31:47 2007

# Generated by iptables-save v1.3.8 on Wed Dec 19 02:31:47 2007

*mangle

:PREROUTING ACCEPT [10103:2780967]

:INPUT ACCEPT [3494:382442]

:FORWARD ACCEPT [6368:2331011]

:OUTPUT ACCEPT [2778:343568]

:POSTROUTING ACCEPT [9146:2674579]

[0:0] -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

COMMIT

# Completed on Wed Dec 19 02:31:47 2007

# Generated by iptables-save v1.3.8 on Wed Dec 19 02:31:47 2007

*filter

:INPUT ACCEPT [12667:2727612]

:FORWARD ACCEPT [11454:5239384]

:OUTPUT ACCEPT [12600:2354200]

COMMIT

# Completed on Wed Dec 19 02:31:47 2007

cat /proc/sys/net/ipv4/ip_forward

cat /proc/sys/net/ipv4/ip_forward

1

I can't run ip route or ip addr, as those are iproute2 and I am not running that. Everytime I have I can't get to anything anywhere not even from the linux box so I just don't emerge it. I'll be the first to admit routing is an extremely weak point of mine. So I'm sure it's something I'm not setting up properly on iproute2, but just the same I'm not running it  :Smile: 

I can give you route -n

```
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

172.27.68.0     0.0.0.0         255.255.255.0   U     0      0        0 external

172.27.69.0     0.0.0.0         255.255.255.0   U     0      0        0 bond0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

0.0.0.0         172.27.68.1     0.0.0.0         UG    0      0        0 external
```

As I mentioned earlier. Basic BASIC firewall just to get up and running THEN I was going to tighten it down.

----------

## Hu

Nothing looks out of place there.  However, your past problems with iproute2 make me suspicious that something else is wrong in your system.  I suggest setting aside the MSS problem for now and focusing on (1) securing the firewall so it does not forward malicious traffic to the Windows systems and (2) identifying what causes your networking to fail when you emerge iproute2.

According to the documentation in /etc/conf.d/net.example, it should be possible to switch back and forth between the two packages easily to test what is wrong.  Add modules=( "ifconfig" ) to /etc/conf.d/net to prefer ifconfig even when iproute2 is available.  Remove it to switch to iproute2.  The description of the problem caused by iproute2 sounds like it should be curable by bringing the interface down, switching to ifconfig mode, and bringing the interface back up.  That is, no reboot would be required.  When you are configured using iproute2, save the output of ip addr ; ip route ; ip link ; ip rule ; ip xfrm to a file, then switch back to ifconfig and post the results.  Also, please post the contents of /etc/conf.d/net.

----------

## lorano

Alright, I'm not so worried about the firewall at the moment. Everything is sitting behind m0n0wall. Yes it's functional, I however feel like I'm out of touch with the firewall like I have less control or something hence Gentoo as the firewall. Besides I'd rather not work on "Live" system and break my connectivity constantly while we work this out. I've got the info below. 

ip addr[/b[

```

1: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue

    link/ether 00:a0:c9:da:92:d4 brd ff:ff:ff:ff:ff:ff

    inet 172.27.69.1/24 brd 172.27.69.255 scope global bond0

2: slave1: <NO-CARRIER,BROADCAST,MULTICAST,SLAVE,UP> mtu 1500 qdisc pfifo_fast master bond0 qlen 1000

    link/ether 00:a0:c9:da:92:d4 brd ff:ff:ff:ff:ff:ff

3: slave2: <NO-CARRIER,BROADCAST,MULTICAST,SLAVE,UP> mtu 1500 qdisc pfifo_fast master bond0 qlen 1000

    link/ether 00:a0:c9:da:92:d4 brd ff:ff:ff:ff:ff:ff

4: external: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

    link/ether 00:07:e9:f3:d4:17 brd ff:ff:ff:ff:ff:ff

    inet 172.27.68.85/24 brd 172.27.68.255 scope global external

5: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo

6: slave3: <NO-CARRIER,BROADCAST,MULTICAST,SLAVE,UP> mtu 1500 qdisc pfifo_fast master bond0 qlen 1000

    link/ether 00:a0:c9:da:92:d4 brd ff:ff:ff:ff:ff:ff

```

[b]ip route

```

172.27.68.0/24 dev external  proto kernel  scope link  src 172.27.68.85

172.27.69.0/24 dev bond0  proto kernel  scope link  src 172.27.69.1

127.0.0.0/8 dev lo  scope link

default via 172.27.68.1 dev external

```

ip link

```

1: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue

    link/ether 00:a0:c9:da:92:d4 brd ff:ff:ff:ff:ff:ff

2: slave1: <NO-CARRIER,BROADCAST,MULTICAST,SLAVE,UP> mtu 1500 qdisc pfifo_fast master bond0 qlen 1000

    link/ether 00:a0:c9:da:92:d4 brd ff:ff:ff:ff:ff:ff

3: slave2: <NO-CARRIER,BROADCAST,MULTICAST,SLAVE,UP> mtu 1500 qdisc pfifo_fast master bond0 qlen 1000

    link/ether 00:a0:c9:da:92:d4 brd ff:ff:ff:ff:ff:ff

4: external: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

    link/ether 00:07:e9:f3:d4:17 brd ff:ff:ff:ff:ff:ff

5: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

6: slave3: <NO-CARRIER,BROADCAST,MULTICAST,SLAVE,UP> mtu 1500 qdisc pfifo_fast master bond0 qlen 1000

    link/ether 00:a0:c9:da:92:d4 brd ff:ff:ff:ff:ff:ff

```

ip rule

```

0:      from all lookup local

32766:  from all lookup main

32767:  from all lookup default

```

ip xfrm

not sure what happened here couldn't find any info on the xfrm switch in the man page through a search so.. yea.

```

Cannot send dump request: Connection refused

```

conf.d/net

```

config_external=( "dhcp" )

dhcp_external="nodns nontp nonis"

slaves_bond0="slave1 slave2 slave3"

config_bond0="172.27.69.1 netmask 255.255.255.0 broadcast 172.27.69.255"

gateway="bond0/172.27.69.1"

```

I bonded the 3 nics together as I thought this would be easier than having 3 seperate subnets and routing them through iptables since as stated earlier I suck at routing  :Wink: 

----------

## magari

Without bonding...

What does your 'conf.d/net' file look like?

I had this problem before, the issue was the gateway setting for the internal interfaces. I had to set the gateway of all the internal interfaces to the same one as the external interface.

----------

## Hu

I do not work with bonding much, so I cannot help you with that.  From what you have described, I think you would be better off to unbond the interfaces and get the routing working correctly among them.  I can help with that type of issue.

----------

## lorano

I'm not oppossed to that, in fact I would PREFER that. So here's the original config.

In response to magari - 

Here's the conf.d/net

```

config_external=( "dhcp" )

dhcp_external="nodns nontp nonis"

config_internal="172.27.69.1 netmask 255.255.255.0 broadcast 172.27.69.255"

config_xbox="172.27.70.1 netmask 255.255.255.0 broadcast 172.27.70.255"

config_shared="172.27.71.1 netmask 255.255.255.0 broadcast 172.27.71.255"

```

----------

