From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1JG3Il-0004DD-Tx for garchives@archives.gentoo.org; Sat, 19 Jan 2008 02:19:20 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 99196E05DE; Sat, 19 Jan 2008 02:19:18 +0000 (UTC) Received: from cty.ugenmedia.com (cty.ugenmedia.com [72.51.43.152]) by pigeon.gentoo.org (Postfix) with ESMTP id 5E298E05DE for ; Sat, 19 Jan 2008 02:19:18 +0000 (UTC) Received: from mail.nnc3.com (cpe-24-193-185-236.nyc.res.rr.com [24.193.185.236]) by cty.ugenmedia.com (Postfix) with ESMTP id 61979EC427B for ; Fri, 18 Jan 2008 21:19:17 -0500 (EST) Received: from [172.16.104.100] (unknown [192.168.32.50]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.nnc3.com (Postfix) with ESMTP id 561C41375B7 for ; Fri, 18 Jan 2008 21:19:16 -0500 (EST) Message-ID: <47915DFF.3080708@nnc3.com> Date: Fri, 18 Jan 2008 21:18:39 -0500 From: Nestor Camacho III User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-server@lists.gentoo.org Reply-to: gentoo-server@lists.gentoo.org MIME-Version: 1.0 To: gentoo-server@lists.gentoo.org Subject: Re: [gentoo-server] Interesting Iptables issue. References: <478452A9.1070601@nnc3.com> <1199859411.8186.5.camel@vishnu.fmp.com> In-Reply-To: <1199859411.8186.5.camel@vishnu.fmp.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: 650ee98c-b530-48a3-801b-a2556873c8bf X-Archives-Hash: 16b1c74a7f369a115efd3e692dd96da8 Lindsay, although your original fix did not work for me, you did put me on right track. After reading your email that you had an MTU issue I went back and took a look at what my MTU settings were for all of my NIC's... I had 1500 from all but one... the internet facing one (546 was the setting). I hard set it to 1500 and guess what... ? It works now every time no longer is it sporadic. I went back to Ubuntu to see what the nic came up as and it maintained an MTU of 1500, I dug around and saw that the settings it is getting from the dhcp server bumps the MTU down, but it seems that Ubuntu ignores this setting from my ISP, where as gentoo accepts it. I am sure that it is just a matter of hard codding it in /etc/conf.d/net going forward... But thanks again, I never even thought to look at the MTU out of all the many things I looked at ;). I want to say thanks to you and everyone else that gave their input. Nes++ Lindsay Haisley wrote: > Try adding the following to your iptables rules: > > iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu > > This sounds very much like the problem I had setting up a Gentoo > firewall here. The man page for iptables says: > > TCPMSS > This target allows to alter the MSS value of TCP SYN packets, to con- > trol the maximum size for that connection (usually limiting it to your > outgoing interface's MTU minus 40). Of course, it can only be used in > conjunction with -p tcp. It is only valid in the mangle table. > This target is used to overcome criminally braindead ISPs or servers > which block ICMP Fragmentation Needed packets. The symptoms of this > problem are that everything works fine from your Linux firewall/router, > but machines behind it can never exchange large packets: > 1) Web browsers connect, then hang with no data received. > 2) Small mail works fine, but large emails hang. > 3) ssh works fine, but scp hangs after initial handshaking. > Workaround: activate this option and add a rule to your firewall con- > figuration like: > iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ > -j TCPMSS --clamp-mss-to-pmtu > > This fix worked for me. Issues of MTU and MTU discovery are complex. > I'm still trying to understand fully what the issues are here. > > On Tue, 2008-01-08 at 23:50 -0500, Nestor Camacho III wrote: > >> I am wondering if anyone has come into this really unique problem... >> >> Short story... >> >> I had a gateway box on different hardware, that finally kicked the >> bucket. I purchased new hardware rebuilt gentoo on it and I was able to >> get on the internet as I used to with the old box....however... with one >> issue that has gotten the best of me... I have spent hours recompiling >> kernel options and iptables. Google'ing and reading as much as I can on >> the issue. I have sniffed the traffic both on the gateway server and on >> the laptop(s) that I have experienced the issue on. >> >> Now, what the problem is...I vpn (over ssl, to a Juniper device) to my >> job. What I am seeing is when I finally connect I can ping hosts >> internal to my work network, but when I try to initiate a connection >> (ssh, http, rdp, etc) I get no where. It just hangs on trying to >> establish the connections. >> >> Upon sniffing the traffic I see that I start to generate duplicate >> acks/packets and the connection fails. >> >> I have tried already enableing and disabling things with ethtool to no >> avail. >> >> Now the kicker! I boot up on the same computer using Ubuntu live cd and >> import the same firewall rules and everything works as it should! >> >> It is an elusive issue and I know that I am not doing it justice in the >> email but any nod in the right direction would be greatly appreciated. >> >> Nes++ >> > > -- gentoo-server@lists.gentoo.org mailing list