On Fri, 27 Dec 2013 10:15:04 +0100 Nemeth Gyorgy <fri...@freemail.hu> wrote:
> 2013-12-26 06:27 keltezéssel, mett írta: > > Hi, > > > > I'm using a debian box as a router and multiserver between my LAN > > and the internet. (cut) > > It seems(according to tcpdump on both interface) that replies from > > some sites get lost or get an ICMP destination unreachable from the > > gateway somehow. > > For me it seems a PMTU problem. Insert the following line in the > proper place: > iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS > --clamp-mss-to-pmtu > Hi and HNY everybody! Just a final update on this thread. I end up with the script below working perfectly, except if I use both following rules at the beginning of the script. --------------------------- iptables -t nat -F iptables -t mangle -F --------------------------- I don't fully understand why but I'll investigate that later. script: ------------------------------------------------------ #!/bin/sh PATH=/usr/sbin:/sbin:/bin:/usr/bin # # delete all existing rules. # iptables -F iptables -X ## nat/POSTROUTING # Masquerade <=> Changed to SNAT(seemed wiser in my situation after #reading doc...). iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j SNAT --to-source EXT.FIX.IP.ADD ## filter/FORWARD # Allow New outgoing connections from the LAN side. iptables -t filter -A FORWARD -i eth0 -o ppp0 -m state --state NEW -j ACCEPT # Allow Established outgoing connections from the LAN side. iptables -t filter -A FORWARD -i eth0 -o ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow forwarding of established connection from WAN side. iptables -t filter -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Don't forward from the outside to the inside (icmp Port_U). iptables -t filter -A FORWARD -i ppp0 -o eth0 -j REJECT ## filter/INPUT # Always accept loopback traffic iptables -t filter -A INPUT -i lo -j ACCEPT #log udp port 5060 iptables -t filter -A INPUT -i ppp0 -p udp --dport 5060 -j LOG --log-level debug #asterisk iptables -t filter -A INPUT -i ppp0 -p udp --dport 5060 -j ACCEPT #tor iptables -t filter -A INPUT -i ppp0 -p tcp --dport 9001 -j ACCEPT #postfix iptables -t filter -A INPUT -i ppp0 -p tcp --dport 25 -j ACCEPT iptables -t filter -A INPUT -i ppp0 -p tcp --dport 587 -j ACCEPT #dovecot iptables -t filter -A INPUT -i ppp0 -p tcp --dport 110 -j ACCEPT iptables -t filter -A INPUT -i ppp0 -p tcp --dport 995 -j ACCEPT iptables -t filter -A INPUT -i ppp0 -p tcp --dport 143 -j ACCEPT iptables -t filter -A INPUT -i ppp0 -p tcp --dport 993 -j ACCEPT #apache iptables -t filter -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT iptables -t filter -A INPUT -i ppp0 -p tcp --dport 443 -j ACCEPT #maradns iptables -t filter -A INPUT -i ppp0 -p udp --dport 53 -j ACCEPT #vsftp iptables -t filter -A INPUT -i ppp0 -p tcp --dport 21 -j ACCEPT iptables -t filter -A INPUT -i ppp0 -p tcp --dport 50000:50010 -j ACCEPT # Allow established connections iptables -t filter -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t filter -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Proto_U everything else on outside interface (-input ppp0) iptables -t filter -A INPUT -i ppp0 -j REJECT --reject-with icmp-proto-unreachable # Enable routing. echo 1 > /proc/sys/net/ipv4/ip_forward ------------------------------------------------------ Thanks a lot for all the comments. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140108161658.121d9606@asus.tamerr
