# iptables firewall not working with some web sites?

## pdr

I have a firewall that connects on eth1=>ppp0 to a ADSL modem and get's it's IP address via DHCP. My "nowall" firewall script (minimal) looks like:

```

LAN_IF="eth0" # the intranet ethernet port

INET_IF="ppp0" # The internet port via ADSL

iptables --policy INPUT ACCEPT

iptables --policy FORWARD ACCEPT

iptables --policy OUTPUT ACCEPT

iptables -t nat --policy PREROUTING ACCEPT

iptables -t nat --policy POSTROUTING ACCEPT

iptables -t nat --policy OUTPUT ACCEPT

iptables -t mangle --policy PREROUTING ACCEPT

iptables -t mangle --policy POSTROUTING ACCEPT

iptables -t mangle --policy INPUT ACCEPT

iptables -t mangle --policy OUTPUT ACCEPT

iptables -t mangle --policy FORWARD ACCEPT

iptables -F

iptables -t nat -F

iptables -t mangle -F

iptables --delete-chain

iptables -t nat --delete-chain

iptables -t mangle --delete-chain

iptables -A FORWARD -i $LAN_IF -o $INET_IF -j ACCEPT

iptables -A FORWARD -i $INET_IF -o $LAN_IF -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i $INET_IF -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o $INET_IF -j MASQUERADE

```

This works fine for most sites - www.google.com, www.dilbert.com, etc. AND, if I use wget from the firewall (it is headless), this is true for all sites.

BUT - there are some sites (http://www.newegg.com/ and http://www.netflix.com in particular) that do NOT work correctly.

This is not my real firewall, which has some DNAT rules for my server and some ACCEPT rules so I can SSH into the firewall from outside, but a stripped down simple version. Figured I get this working I can apply to the real firewall script.

Any idea what is wrong?

----------

## Hu

This sounds like an MSS problem.  Please read the section on TCPMSS in man iptables and try that target if you agree that it accurately describes your problem.

----------

## pdr

That did not change the symptoms. It, or something like it (had to add the xt_TCPMSS module to the kernel, and it was a new kernel I had not booted from yet), made things worse.  Am back now to having a wireless router hooked to the ADSL modem, and my firewall to the router (router set to "DMZ" mode - pass all packets to my firewall); that uses SNAT and works fine. Will have to tackle this another day.

----------

