2013-12-26 06:27 keltezéssel, mett írta: > Hi, > > I'm using a debian box as a router and multiserver between my LAN and > the internet. > > Everything was working fine till yesterday when I put the box down for > upgrading memory, for a few hours. > > Right now, the external interface of the gateway is fully accessible > from the net, and I do not have any problem with the different services > I am providing to the outside(mail, webserver. and dns for the web > servers). > > The problem is on the LAN side, I can access some sites but not all the > sites as I used to do. > > For example, I can access the "Start page" search engine but not > "Duckduckgo". > > The gateway can access everything, it's the hosts behind the gateway > that cannot. > > > I have 2 interfaces on this box: > eth0 which is used as the LAN interface and > eth1 which is used as ppp0 with a static IP from my ISP. > > ------------------------------------------------------------------- > /etc/sysctl.conf has the forwarding rule for ipv4 > net.ipv4.ip_forward=1 > net.ipv4.conf.default.forwarding=1 (maybe useless but I'm kind of > trying everything) > net.ipv4.conf.all.forwarding=1 (maybe useless but I'm kind of > trying everything) > ------------------------------------------------------------------- > cat cat /proc/sys/net/ipv4/ip_forward > 1 > ------------------------------------------------------------------- > Iptables rules are as follows > # delete all existing rules. > # > iptables -F > iptables -t nat -F > iptables -t mangle -F > iptables -X > > # Always accept loopback traffic > iptables -A INPUT -i lo -j ACCEPT > > > #log udp port 5060 > iptables -A INPUT -i ppp0 -p udp --dport 5060 -j LOG --log-level debug > > #asterisk > iptables -A INPUT -i ppp0 -p udp --dport 5060 -j ACCEPT > > > #tor > iptables -A INPUT -i ppp0 -p tcp --dport 9001 -j ACCEPT > > #postfix > iptables -A INPUT -i ppp0 -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -i ppp0 -p tcp --dport 587 -j ACCEPT > > #dovecot > iptables -A INPUT -i ppp0 -p tcp --dport 110 -j ACCEPT > iptables -A INPUT -i ppp0 -p tcp --dport 995 -j ACCEPT > iptables -A INPUT -i ppp0 -p tcp --dport 143 -j ACCEPT > iptables -A INPUT -i ppp0 -p tcp --dport 993 -j ACCEPT > > #apache > iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT > iptables -A INPUT -i ppp0 -p tcp --dport 443 -j ACCEPT > > #maradns > iptables -A INPUT -i ppp0 -p udp --dport 53 -j ACCEPT > > > # Allow established connections, and those not coming from the outside > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT > iptables -A FORWARD -i ppp0 -o eth0 -m state --state > ESTABLISHED,RELATED -j ACCEPT > > > # Allow outgoing connections from the LAN side. > iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT > > # Masquerade. > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > # Don't forward from the outside to the inside. > iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT > > > > # Enable routing. > echo 1 > /proc/sys/net/ipv4/ip_forward > ------------------------------------------------------------------------ > > I am totally at loss and was wondering if somebody has an idea about > where the problem might be coming from. > > It seems(according to tcpdump on both interface) that replies from some > sites get lost or get an ICMP destination unreachable from the > gateway somehow.
For me it seems a PMTU problem. Insert the following line in the proper place: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -- --- Friczy --- 'Death is not a bug, it's a feature' -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52bd4518.6010...@freemail.hu
