From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1JCcGM-0006y5-Eo for garchives@archives.gentoo.org; Wed, 09 Jan 2008 14:50:38 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id F1DE1E05B6; Wed, 9 Jan 2008 14:49:37 +0000 (UTC) Received: from cty.ugenmedia.com (cty.ugenmedia.com [72.51.43.152]) by pigeon.gentoo.org (Postfix) with ESMTP id B49FBE05B6 for ; Wed, 9 Jan 2008 14:49:37 +0000 (UTC) Received: from mail.nnc3.com (cpe-24-193-185-236.nyc.res.rr.com [24.193.185.236]) by cty.ugenmedia.com (Postfix) with ESMTP id 3655FEC4224 for ; Wed, 9 Jan 2008 09:49:37 -0500 (EST) Received: from [172.16.104.100] (unknown [192.168.32.50]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.nnc3.com (Postfix) with ESMTP id D6DAF1C0D74 for ; Wed, 9 Jan 2008 09:49:36 -0500 (EST) Message-ID: <4784DEE2.9010808@nnc3.com> Date: Wed, 09 Jan 2008 09:49:06 -0500 From: Nestor Camacho III User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-server@lists.gentoo.org Reply-to: gentoo-server@lists.gentoo.org MIME-Version: 1.0 To: gentoo-server@lists.gentoo.org Subject: Re: [gentoo-server] Interesting Iptables issue. References: <478452A9.1070601@nnc3.com> <1199859411.8186.5.camel@vishnu.fmp.com> In-Reply-To: <1199859411.8186.5.camel@vishnu.fmp.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: fd416257-5c51-4008-b08d-cf5b351f46b1 X-Archives-Hash: 9c33f958cfc54bc6f76930832a7627c4 Lindsay, thanks for the tip, unfortunately it did not work :( :) Nes++ Lindsay Haisley wrote: > Try adding the following to your iptables rules: > > iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu > > This sounds very much like the problem I had setting up a Gentoo > firewall here. The man page for iptables says: > > TCPMSS > This target allows to alter the MSS value of TCP SYN packets, to con- > trol the maximum size for that connection (usually limiting it to your > outgoing interface's MTU minus 40). Of course, it can only be used in > conjunction with -p tcp. It is only valid in the mangle table. > This target is used to overcome criminally braindead ISPs or servers > which block ICMP Fragmentation Needed packets. The symptoms of this > problem are that everything works fine from your Linux firewall/router, > but machines behind it can never exchange large packets: > 1) Web browsers connect, then hang with no data received. > 2) Small mail works fine, but large emails hang. > 3) ssh works fine, but scp hangs after initial handshaking. > Workaround: activate this option and add a rule to your firewall con- > figuration like: > iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ > -j TCPMSS --clamp-mss-to-pmtu > > This fix worked for me. Issues of MTU and MTU discovery are complex. > I'm still trying to understand fully what the issues are here. > > On Tue, 2008-01-08 at 23:50 -0500, Nestor Camacho III wrote: > >> I am wondering if anyone has come into this really unique problem... >> >> Short story... >> >> I had a gateway box on different hardware, that finally kicked the >> bucket. I purchased new hardware rebuilt gentoo on it and I was able to >> get on the internet as I used to with the old box....however... with one >> issue that has gotten the best of me... I have spent hours recompiling >> kernel options and iptables. Google'ing and reading as much as I can on >> the issue. I have sniffed the traffic both on the gateway server and on >> the laptop(s) that I have experienced the issue on. >> >> Now, what the problem is...I vpn (over ssl, to a Juniper device) to my >> job. What I am seeing is when I finally connect I can ping hosts >> internal to my work network, but when I try to initiate a connection >> (ssh, http, rdp, etc) I get no where. It just hangs on trying to >> establish the connections. >> >> Upon sniffing the traffic I see that I start to generate duplicate >> acks/packets and the connection fails. >> >> I have tried already enableing and disabling things with ethtool to no >> avail. >> >> Now the kicker! I boot up on the same computer using Ubuntu live cd and >> import the same firewall rules and everything works as it should! >> >> It is an elusive issue and I know that I am not doing it justice in the >> email but any nod in the right direction would be greatly appreciated. >> >> Nes++ >> > > -- gentoo-server@lists.gentoo.org mailing list