# UPDATED: Dansguardian issue Not (IPTABLES/Transparent Proxy)

## mackerel

Background: I have a 19.168.1.1 network with a gentoo server attached. That server has a second NIC with a 192.168.2.1 network. The second network I have internet filtered via dansguardian and I am using a transparent proxy to force all all http  traffic through the filter. The prime network is using a regular router.

My problem is on the second network, there is a high number of websites that I cannot reach (browser is blank with "done" at the bottom). Such as weather.com. Also, I cannot reach some websites after I submit some information, such as wunderground.com when I submit my zip code to view my weather. When I look into the dansguardian logs, I cannot find any evidence that the page is being blocked. The squid logs also appear to be fetching the page as any other page. I have tried to manually put in the proxy information, but I have the same results.

Here is the iptables rules I have

```

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

iptables -I FORWARD -i ${LAN} -d 192.168.2.1/255.255.255.0 -j DROP

iptables -A FORWARD -i ${LAN} -s 192.168.2.1/255.255.255.0 -j ACCEPT

iptables -A FORWARD -i ${WAN} -d 192.168.2.1/255.255.255.0 -j ACCEPT

iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADiptables -t nat -A PREROUTING -p tcp --dport 3074 -i ${WAN} -j DNAT --to 192.168.2.23

iptables -t nat -A PREROUTING -p udp --dport 3074 -i ${WAN} -j DNAT --to  192.168.2.23

iptables -t nat -A PREROUTING -p udp --dport 88 -i ${WAN} -j DNAT --to 192.168.2.23

iptables -t nat -A PREROUTING -p tcp --dport 10070:10080 -i ${WAN} -j DNAT --to 192.168.2.21

iptables -t nat -A PREROUTING -p udp --dport 10070:10080 -i ${WAN} -j DNAT  --to 192.168.2.21

iptables -t nat -A PREROUTING -i ${LAN} -p tcp --dport 80 -j REDIRECT --to-port 8080

```

I just wanted to have nat and transparent proxy on this network. I have added some port forwarding for the kid's xbox and playstation.

I would appreciate any assistance and suggestions.

----------

## think4urs11

wild guess: MSS-to-PMTU clamping needed

----------

## mackerel

How would I do that? Is this just on NAT?

----------

## mackerel

Could this issue be related to hardware? IE. My LAN NIC is 10/100 and the WAN NIC is 10/100/1000

I have also tried the following command from the same routing document I used

```
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
```

and 

```
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
```

But neither of these has any effect on the web pages which have an issue

----------

## mackerel

I have reverted to a non-transparent proxy and the issue persists. Then I changed the proxy settings to go to squid (3128) rather that DG. The problems clears up if I remove dansguardian from the process. Still, in the logs, I cannot find any reference to these pages being blocked or any parts of these pages.

Is this a bug in DG stable (2.8.0.6-r1)?

To try to write firewall exceptions for each site seems drastic.

----------

