# ssl connections problem

## lightning

Hi there. I have installed gentoo and configured with this manual http://www.gentoo.org/doc/en/home-router-howto.xml but computers from LAN cannot browse SSL webpages. It is possible to do from server (using links browser). What should I do? I am beginner to linux. And also I would like apply time library patch to iptables to load some rules for a period. How to do that using  emerge? Best regards

----------

## JeliJami

 *Quote:*   

> And also I would like apply time library patch to iptables to load some rules for a period. How to do that using  emerge? Best regards

 

http://gentoo-wiki.com/HOWTO_Create_an_Updated_Ebuild

----------

## Hu

For the client SSL problem, we need more information.  Please post the output of iptables-save -c ; ip addr ; ip route.  Also, in what way are you connected to the Internet?

----------

## lightning

```
# Generated by iptables-save v1.3.8 on Thu Nov 15 21:10:00 2007

*raw

:PREROUTING ACCEPT [82945647:34041928864]

:OUTPUT ACCEPT [1122178:123587343]

COMMIT

# Completed on Thu Nov 15 21:10:00 2007

# Generated by iptables-save v1.3.8 on Thu Nov 15 21:10:00 2007

*nat

:PREROUTING ACCEPT [749484:54760579]

:POSTROUTING ACCEPT [164:38348]

:OUTPUT ACCEPT [1100:148068]

[602077:42180491] -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j MASQUERADE

COMMIT

# Completed on Thu Nov 15 21:10:00 2007

# Generated by iptables-save v1.3.8 on Thu Nov 15 21:10:00 2007

*mangle

:PREROUTING ACCEPT [82945635:34041928240]

:INPUT ACCEPT [1141357:110017378]

:FORWARD ACCEPT [81627390:33856369774]

:OUTPUT ACCEPT [1122183:123588687]

:POSTROUTING ACCEPT [82712673:33978078368]

[0:0] -A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m ipp2p --ipp2p -j DROP

[128527:24926696] -A FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m ipp2p --ipp2p -j DROP

[0:0] -A OUTPUT -s 192.168.1.0/255.255.255.0 -p tcp -m ipp2p --ipp2p -j DROP

COMMIT

# Completed on Thu Nov 15 21:10:00 2007

# Generated by iptables-save v1.3.8 on Thu Nov 15 21:10:00 2007

*filter

:INPUT ACCEPT [185658:20434094]

:FORWARD ACCEPT [12346829:2150668604]

:OUTPUT ACCEPT [175557:21816314]

:P2P - [0:0]

[8352517:4757344416] -A FORWARD -d 192.168.1.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT

[34601:1632854] -A FORWARD -p udp -m ipp2p --ipp2p -j DROP

[0:0] -A FORWARD -p tcp -m ipp2p --ipp2p -j DROP

COMMIT

# Completed on Thu Nov 15 21:10:00 2007

```

I use pppoe, how to get the rest ifnormation (I used to use OpenBSD before and not really sure how to get the rest information.. just learning linux currently) I cannot get connected to some https websites. No idea why.

----------

## Hu

This sounds like a case for the TCPMSS target.  From the iptables man page:

```
   TCPMSS

       This target allows to alter the MSS value of TCP SYN packets,  to  con-

       trol  the maximum size for that connection (usually limiting it to your

       outgoing interface's MTU minus 40).  Of course, it can only be used  in

       conjunction with -p tcp.  It is only valid in the mangle table.

       This  target  is  used to overcome criminally braindead ISPs or servers

       which block ICMP Fragmentation Needed packets.  The  symptoms  of  this

       problem are that everything works fine from your Linux firewall/router,

       but machines behind it can never exchange large packets:

        1) Web browsers connect, then hang with no data received.

        2) Small mail works fine, but large emails hang.

        3) ssh works fine, but scp hangs after initial handshaking.

       Workaround: activate this option and add a rule to your  firewall  con-

       figuration like:

        iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \

                    -j TCPMSS --clamp-mss-to-pmtu

```

----------

## lightning

Problem solved, great. Thank you so much!

----------

