# Weird NAT problem

## jsharrad

I somehow broke my NAT configuration the other day.  It was all working fine one day and the next it wasn't.  I'm not sure exactly what I did as my wife is usually in bed when I update my system so noone is using the other PC that my internet connection is shared with.

I have 2 interfaces in my system eth1 (local) and eth2 (internet) and no matter whether I specify the policies directly into iptables or if I use firestarter or shorewall to set it up, the result is the same.  I can ping outside addresses on the internal pc so it's resolving names and sending / receiving data.  I can log into a ftp site using the windows ftp client, but as soon as I try to do anything after logging in, nothing.  All other traffic I have tested, like even though google.com responds to pings, if I try to browse to it, it gets stuck at "Waiting for www.google.com...".  Online games don't respond either.

Any ideas on what I can do to fix this?  I hate rebooting into windows just to share my internet connection when my wife is home.

----------

## deno

Just a suggestion. Some networking options in .config file have changed their place, so when you upgrade kernel to 2.6.20 and use old .config file, some things will probably broke.

----------

## jsharrad

Yeah, I'm using 2.6.20, but I went through the new netfilter options and enabled them.

----------

## jsharrad

I still have this problem, even after a total system reinstall.  eth1 is my external interface now and eth2 is my internal network.  I've tried using bare-bones iptables rules to see if anything will go through, still, the internal lan pc gets responses to pings and can communicate with mail servers (but not actually receive the messages) but nothing else gets through, like webpages, games etc.

 *Quote:*   

> goober justin # iptables-save -c
> 
> # Generated by iptables-save v1.3.7 on Mon Jun 11 19:59:54 2007
> 
> *nat
> ...

 

Any ideas? it works in ubuntu and fedora but I reinstalled gentoo because I like it best.

----------

## Hu

If you still have Ubuntu or Fedora, run iptables-save -c on them to see what is different?  :Razz: 

Failure to download content sounds suspiciously like you are using one of the "criminally braindead ISPs" ... " which block ICMP Fragmentation Needed packets" (quote from iptables manpage).  If this is the cause, you need to (1) clamp MSS to PMTU and (2) complain to your ISP to stop blocking ICMP Fragmentation Needed.  See the TCPMSS target in man iptables for more information.  If it is not clear how to use it, post back and I will elaborate.  Let us know if this solves the problem.  If it does not, it may be time to emerge net-analyzer/tcpdump and start monitoring the traffic.

Hold off on complaining to your ISP until we confirm that it is an ICMP Fragmentation Needed problem.  :Smile: 

----------

## jsharrad

I'm not sure why, but for some reason eth1 was set at 576 mtu, I looked at it to see what to clamp it to.  I don't know if it's meant to be like that but by changing it to 1500 NAT works fine now.  I guess I should have checked and tried that earlier.  :Wink: 

----------

## JasonX

 *jsharrad wrote:*   

> I'm not sure why, but for some reason eth1 was set at 576 mtu, I looked at it to see what to clamp it to.  I don't know if it's meant to be like that but by changing it to 1500 NAT works fine now.  I guess I should have checked and tried that earlier. 

 

Hi, i have the same problem and posted it under Incorrect MTU Value

My iptables rules is:

```
# Generated by iptables-save v1.3.5 on Mon Jun 11 12:25:27 2007

*nat

:PREROUTING ACCEPT [3222421:375165346]

:POSTROUTING ACCEPT [2403:316023]

:OUTPUT ACCEPT [3705:411018]

-A POSTROUTING -o $external_lan_card -j MASQUERADE

COMMIT

# Completed on Mon Jun 11 12:25:27 2007

# Generated by iptables-save v1.3.5 on Mon Jun 11 12:25:27 2007

*mangle

:PREROUTING ACCEPT [13788077:9064935440]

:INPUT ACCEPT [10695153:8710372630]

:FORWARD ACCEPT [22593:7430284]

:OUTPUT ACCEPT [9658031:8993421075]

:POSTROUTING ACCEPT [9682300:9001223727]

COMMIT

# Completed on Mon Jun 11 12:25:27 2007

# Generated by iptables-save v1.3.5 on Mon Jun 11 12:25:27 2007

*filter

:INPUT ACCEPT [10695157:8710372733]

:FORWARD ACCEPT [22266:7380952]

:OUTPUT ACCEPT [9658037:8993421895]

-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

COMMIT

# Completed on Mon Jun 11 12:25:27 2007

```

 and --clamp-mss-to-pmtu does not solving the problem.

Can you describe to me how you fixed it more presice, please?

----------

## jsharrad

I changed eth1's MTU to 1500 with

```
# ifconfig eth1 mtu 1500
```

Made sure it worked like that,

```
$ ping -s 1472 www.dslreports.com

PING dslreports.com (209.123.109.175) 1472(1500) bytes of data.

1480 bytes from www.dslreports.com (209.123.109.175): icmp_seq=1 ttl=55 time=49.6 ms

1480 bytes from www.dslreports.com (209.123.109.175): icmp_seq=2 ttl=55 time=49.0 ms
```

And edited my /etc/conf.d/net file to apply the changes every time the interface is brought up

```
config_eth1=( "dhcp" )

mtu_eth1=1500
```

----------

## JasonX

 *jsharrad wrote:*   

> I changed eth1's MTU to 1500 with
> 
> ```
> # ifconfig eth1 mtu 1500
> ```
> ...

 

Thank you for the help.

The problem was SOLVED solution here by adding to ppp interface bigger than 1396 mtu.

----------

## Thesee

Hello,

Sorry to re-open this thread but I have exactly the same syndromes but it seems the problem isn't the same. The MTU on my PPP0 is 1492. I tried with 1500 but it didn't help: when I try to browse from a PC in the LAN, I see an exchange of packets and then it stops in "Waiting for www.tchibo.de...". And what is even more make me hallucinating is that I can go on google (I mean doing a search on google to be sure that it's not in cache or anything).

Before you read my firewall rules, I want to say that this script was working perfectly on an old RedHat 9.0 (but the PC died after more than 15 years... R.I.P.  :Laughing: ).

I have 2 NICs: eth0 and eth1. eth0 is bridged with ppp0 as I'm connected via the ASDL with rp-pppoe.

Here is my /etc/conf.d/net:

```
config_eth1=( "192.168.0.1 netmask 255.255.255.0 brd 192.168.0.255" )

config_eth0=( "null" )

config_ppp0=("ppp")

link_ppp0="eth0"

plugins_ppp0=("pppoe")

pppd_ppp0=("defaultroute" "usepeerdns") 
```

I have also a DHCP server that gives IP based on the MAC address.

Here it is:

```
IPTABLES='/sbin/iptables'

EXTIF='ppp0'

INTIF1='eth1'

echo ">>> Setting ipforward"

echo 1 > /proc/sys/net/ipv4/ip_forward 

echo ">>> Flushing iptables rules"

$IPTABLES -F 

$IPTABLES -t nat -F

$IPTABLES -X 

$IPTABLES -t nat -X 

echo ">>> Setting default policy to DROP"

$IPTABLES -P INPUT DROP 

$IPTABLES -P OUTPUT DROP 

$IPTABLES -P FORWARD DROP 

echo ">>> Setting packet logging"

$IPTABLES -N bad_tcp_packets

$IPTABLES -N allowed

$IPTABLES -N tcp_packets

$IPTABLES -N udp_packets

$IPTABLES -N icmp_packets

echo ">>> Accepting loopback packets"

$IPTABLES -A OUTPUT -o lo -j ACCEPT 

$IPTABLES -A INPUT -i lo -j ACCEPT

echo ">>> Bad TCP packets"

$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-level DEBUG --log-prefix "New not syn: "

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

echo ">>> Allowed packets"

$IPTABLES -A allowed -p tcp --syn -j ACCEPT

$IPTABLES -A allowed -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A allowed -p tcp -j DROP

echo ">>> TCP rules"

$IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 21 -j allowed

$IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 22 -j allowed

$IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 80 -j allowed

$IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 113 -j allowed

$IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 2401 -j allowed

$IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 25 -j allowed

$IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 110 -j allowed

$IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 32792 -j allowed

$IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 3690 -j allowed

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -p tcp --dport 8110 -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -p tcp --dport 6891 -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -p tcp --dport 6892 -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -p tcp --dport 6893 -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -p tcp --dport 6894 -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -p tcp --dport 4662 -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -p tcp --dport 5100 -j ACCEPT

echo ">>> UDP rules"

$IPTABLES -A udp_packets -p udp -s 0/0 --source-port 53 -j ACCEPT

$IPTABLES -A udp_packets -p udp -s 10.0.0.138  --sport 67 --dport 68 -j ACCEPT

$IPTABLES -A udp_packets -p udp -s 0/0 --source-port 25 -j ACCEPT

$IPTABLES -A udp_packets -p udp -s 0/0 --sport 110 -j ACCEPT

$IPTABLES -A udp_packets -p udp -s 0/0 --sport 4000 -j ACCEPT

$IPTABLES -A udp_packets -p udp -s 0/0 --sport 32792 -j ACCEPT

$IPTABLES -A udp_packets -p udp -s 0/0 --sport 4043 -j ACCEPT

$IPTABLES -A udp_packets -p udp -s 0/0 --sport 4044 -j ACCEPT

$IPTABLES -A udp_packets -p udp -s 0/0 --sport 4045 -j ACCEPT

$IPTABLES -A udp_packets -p udp -s 0/0 --sport 4046 -j ACCEPT

$IPTABLES -A udp_packets -p udp -s 0/0 --sport 6277 -j ACCEPT

$IPTABLES -A udp_packets -p udp -s 0/0 --sport 4665 -j ACCEPT

$IPTABLES -A udp_packets -p udp -s 0/0 --sport 4672 -j ACCEPT

echo ">>> ICMP rules"

$IPTABLES -A icmp_packets -p icmp -s 0/0 --icmp-type 8 -j ACCEPT

$IPTABLES -A icmp_packets -p icmp -s 0/0 --icmp-type 11 -j ACCEPT

$IPTABLES -A INPUT -i tun+ -j ACCEPT

$IPTABLES -A FORWARD -i tun+ -j ACCEPT

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

$IPTABLES -A INPUT -p ALL -i $INTIF1 -s 192.168.0.0/24 -j ACCEPT

$IPTABLES -A INPUT -p ALL -i localhost -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -p tcp -i $EXTIF -j tcp_packets

$IPTABLES -A INPUT -p udp -i $EXTIF -j udp_packets

$IPTABLES -A INPUT -p icmp -i $EXTIF -j icmp_packets

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

$IPTABLES -A FORWARD -i $INTIF1 -j ACCEPT

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

$IPTABLES -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -s 10.0.0.1 -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -s 192.168.0.1 -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -o $EXTIF -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -o eth1 -j ACCEPT

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo "[OK]"
```

Here is the output of "iptables -L -v":

```
Chain INPUT (policy DROP 14 packets, 3759 bytes)

 pkts bytes target     prot opt in     out     source               destination         

  314 22231 ACCEPT     all  --  lo     any     anywhere             anywhere            

    0     0 ACCEPT     all  --  tun+   any     anywhere             anywhere            

  275  114K bad_tcp_packets  tcp  --  any    any     anywhere             anywhere            

   88 13126 ACCEPT     all  --  eth1   any     192.168.0.0/24       anywhere            

    0     0 ACCEPT     all  --  localhost any     anywhere             anywhere            

  309  114K ACCEPT     all  --  ppp0   any     anywhere             anywhere            state RELATED,ESTABLISHED 

    7   360 tcp_packets  tcp  --  ppp0   any     anywhere             anywhere            

    7  3399 udp_packets  udp  --  ppp0   any     anywhere             anywhere            

    1    61 icmp_packets  icmp --  ppp0   any     anywhere             anywhere            

   13  3695 LOG        all  --  any    any     anywhere             anywhere            limit: avg 3/min burst 3 LOG level debug prefix `IPT INPUT packet died: ' 

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     tcp  --  ppp0   eth1    anywhere             anywhere            tcp dpt:8110 

    0     0 ACCEPT     tcp  --  ppp0   eth1    anywhere             anywhere            tcp dpt:6891 

    0     0 ACCEPT     tcp  --  ppp0   eth1    anywhere             anywhere            tcp dpt:6892 

    0     0 ACCEPT     tcp  --  ppp0   eth1    anywhere             anywhere            tcp dpt:6893 

    0     0 ACCEPT     tcp  --  ppp0   eth1    anywhere             anywhere            tcp dpt:6894 

    0     0 ACCEPT     tcp  --  ppp0   eth1    anywhere             anywhere            tcp dpt:4662 

    0     0 ACCEPT     tcp  --  ppp0   eth1    anywhere             anywhere            tcp dpt:5100 

    0     0 ACCEPT     all  --  tun+   any     anywhere             anywhere            

   60 11903 ACCEPT     all  --  eth1   any     anywhere             anywhere            

   57 16222 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 

    0     0 bad_tcp_packets  tcp  --  any    any     anywhere             anywhere            

    0     0 LOG        all  --  any    any     anywhere             anywhere            limit: avg 3/min burst 3 LOG level debug prefix `IPT FORWARD packet died: ' 

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

  314 22231 ACCEPT     all  --  any    lo      anywhere             anywhere            

  266 41617 bad_tcp_packets  tcp  --  any    any     anywhere             anywhere            

    0     0 ACCEPT     all  --  any    any     phoebe.thesee.dyndns.org  anywhere            

    0     0 ACCEPT     all  --  any    any     10.0.0.1             anywhere            

   87 14221 ACCEPT     all  --  any    any     192.168.0.0/24       anywhere            

  314 40895 ACCEPT     all  --  any    ppp0    anywhere             anywhere            

    0     0 LOG        all  --  any    any     anywhere             anywhere            limit: avg 3/min burst 3 LOG level debug prefix `IPT OUTPUT packet died: ' 

Chain allowed (9 references)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN 

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 

    0     0 DROP       tcp  --  any    any     anywhere             anywhere            

Chain bad_tcp_packets (3 references)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 REJECT     tcp  --  any    any     anywhere             anywhere            tcp flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset 

    4   160 LOG        tcp  --  any    any     anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW LOG level debug prefix `New not syn: ' 

    4   160 DROP       tcp  --  any    any     anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW 

Chain icmp_packets (1 references)

 pkts bytes target     prot opt in     out     source               destination         

    1    61 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp echo-request 

    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp time-exceeded 

Chain tcp_packets (1 references)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 allowed    tcp  --  any    any     anywhere             anywhere            tcp dpt:ftp 

    0     0 allowed    tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh 

    0     0 allowed    tcp  --  any    any     anywhere             anywhere            tcp dpt:http 

    0     0 allowed    tcp  --  any    any     anywhere             anywhere            tcp dpt:auth 

    0     0 allowed    tcp  --  any    any     anywhere             anywhere            tcp dpt:cvspserver 

    0     0 allowed    tcp  --  any    any     anywhere             anywhere            tcp dpt:smtp 

    0     0 allowed    tcp  --  any    any     anywhere             anywhere            tcp dpt:pop3 

    0     0 allowed    tcp  --  any    any     anywhere             anywhere            tcp dpt:32792 

    0     0 allowed    tcp  --  any    any     anywhere             anywhere            tcp dpt:svn 

Chain udp_packets (1 references)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp spt:domain 

    0     0 ACCEPT     udp  --  any    any     10.0.0.138           anywhere            udp spt:bootps dpt:bootpc 

    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp spt:smtp 

    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp spt:pop3 

    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp spt:4000 

    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp spt:32792 

    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp spt:4043 

    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp spt:4044 

    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp spt:4045 

    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp spt:4046 

    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp spt:6277 

    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp spt:4665 

    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp spt:4672 
```

The FORWARD chain doesn't have any packet, isn't what should be strange? As far as I understand it, it should be via the FORWARD rules that the traffic should go from my LAN to the WAN, no?

I read the HOWTO Iptables for newbies and tried the really first script but it didn't work: i can't even ping my internal interface...

I found a workaround: I installed a proxy but I'm not happy with the idea, I'd like for people inside my LAN not to need to configure anything.

This has been killing me for a couple of weeks   :Sad: 

Any help would be really, but really appreciated.

P.S.: if any trace is needed, please let me know.

----------

## Thesee

Nobody?   :Sad: 

----------

## Hu

 *Thesee wrote:*   

> Sorry to re-open this thread but I have exactly the same syndromes but it seems the problem isn't the same.

 

Posting a similar but distinct problem in a thread where the original issue was solved is not a good way to get attention for your problem.  In the future, you should post a new thread explaining your problem.  If it is similar to other posts, provide links back to those posts.

A quick review of your rules does not show obvious problems.  Please post the output of iptables-save -c.  Also, attempt to connect to the Internet from a client machine and run netstat -n while the browser is waiting for a response.

----------

## Thesee

Sorry, but it's always a bit tricky: on some forums here threads aren't said "closed" or "solved" as long as the title doesn't say it, and that's why I allowed myself to go on this thread.

Besides that, I was wondering if it wouldn't be taken as a duplicated thread.

But I think you're right, and I'll open a new one.

Thanks.

----------

