Re: [gentoo-server] Interesting Iptables issue.

[Lindsay Haisley <fmouse-gentoo@fmp.com>]

Try adding the following to your iptables rules:

iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

This sounds very much like the problem I had setting up a Gentoo
firewall here.  The man page for iptables says:

   TCPMSS
       This target allows to alter the MSS value of TCP SYN packets,  to  con-
       trol  the maximum size for that connection (usually limiting it to your
       outgoing interface's MTU minus 40).  Of course, it can only be used  in
       conjunction with -p tcp.  It is only valid in the mangle table.
       This  target  is  used to overcome criminally braindead ISPs or servers
       which block ICMP Fragmentation Needed packets.  The  symptoms  of  this
       problem are that everything works fine from your Linux firewall/router,
       but machines behind it can never exchange large packets:
        1) Web browsers connect, then hang with no data received.
        2) Small mail works fine, but large emails hang.
        3) ssh works fine, but scp hangs after initial handshaking.
       Workaround: activate this option and add a rule to your  firewall  con-
       figuration like:
        iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
                    -j TCPMSS --clamp-mss-to-pmtu

This fix worked for me.  Issues of MTU and MTU discovery are complex.
I'm still trying to understand fully what the issues are here.

On Tue, 2008-01-08 at 23:50 -0500, Nestor Camacho III wrote:
> I am wondering if anyone has come into this really unique problem...
> 
> Short story...
> 
> I had a gateway box on different hardware, that finally kicked the
> bucket. I purchased new hardware rebuilt gentoo on it and I was  able to
> get on the internet as I used to with the old box....however... with one
> issue that has gotten the best of me... I have spent hours recompiling
> kernel options and iptables. Google'ing and reading as much as I can on
> the issue. I have sniffed the traffic both on the gateway server and on
> the laptop(s) that I have experienced the issue on.
> 
> Now, what the problem is...I vpn (over ssl, to a Juniper device) to my
> job. What I am seeing is when I finally connect I can ping hosts
> internal to my work network, but when I try to initiate a connection
> (ssh, http, rdp, etc) I get no where. It just hangs on trying to
> establish the connections.
> 
> Upon sniffing the traffic I see that I start to generate duplicate
> acks/packets and the connection fails.
> 
> I have tried already enableing and disabling things with ethtool to no
> avail.
> 
> Now the kicker! I boot up on the same computer using Ubuntu live cd and
> import the same firewall rules and everything works as it should!
> 
> It is an elusive issue and I know that I am not doing it justice in the
> email but any nod in the right direction would be greatly appreciated.
> 
> Nes++

-- 
gentoo-server@lists.gentoo.org mailing list