Results 1 to 6 of 6

Thread: Not all websites work with iptables, ubuntu 10.04

  1. #1
    Join Date
    Mar 2011
    Beans
    6

    Exclamation [SOLVED]Not all websites work with iptables, ubuntu 10.04

    Hello,

    I have a Ubuntu 10.04 running from a 8gig USB stick on my desktop which has 2 network cards. One built in and another one on PCI.
    I followed the tutorial from here: https://help.ubuntu.com/community/In...nectionSharing and I got my desktop to work as a router for my home network.

    A few details about what I've done:

    To connect to the Internet I use PPPoE and I configured that from the Network Connection manager.
    then I set-up some iptables to route the internet from eth0 (the internet connection through ppp0) to eth1 (192.168.0.1).
    On eth1 I have connected a wireless router...the settings on the router are as follows:

    Internet connection: Ip 192.168.0.99, Subnet mask: 255.255.255.0, Def GW: 192.168.0.1. DNS-s the ones I usually get from my ISP when I connect directly with my computer through PPPoE: 82....
    Network connection: IP: 192.168.0.99. DHCP disabled.

    For those who might ask why am I not using my router to conn through PPPoE...well:
    1. I made a firmware update and it stopped connecting through PPPoE. gives me an error...customer support did not have an solution for it, not even an older firmware so I could downgrade...
    2. I want to learn a little more linux and this is a chance for me to do that,..

    What I have done from that tutorial:
    Code:
    ubuntu@ubuntu:~$ sudo ifconfig
    eth0      Link encap:Ethernet  HWaddr 00:0e:2e:8c:9a:58  
              inet6 addr: fe80::20e:2eff:fe8c:9a58/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:1677 errors:0 dropped:0 overruns:0 frame:0
              TX packets:1299 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:2190511 (2.1 MB)  TX bytes:161183 (161.1 KB)
              Interrupt:20 Base address:0xe800 
    
    eth1      Link encap:Ethernet  HWaddr 00:26:18:78:20:d2  
              inet6 addr: fe80::226:18ff:fe78:20d2/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:11 errors:0 dropped:0 overruns:0 carrier:2
              collisions:0 txqueuelen:1000 
              RX bytes:0 (0.0 B)  TX bytes:2178 (2.1 KB)
              Interrupt:27 
    
    lo        Link encap:Local Loopback  
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:92 errors:0 dropped:0 overruns:0 frame:0
              TX packets:92 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:7200 (7.2 KB)  TX bytes:7200 (7.2 KB)
    
    ppp0      Link encap:Point-to-Point Protocol  
              inet addr:000.000.000.000  P-t-P:10.0.0.1  Mask:255.255.255.255
              UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
              RX packets:1649 errors:0 dropped:0 overruns:0 frame:0
              TX packets:1278 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:3 
              RX bytes:2150157 (2.1 MB)  TX bytes:130229 (130.2 KB)
    
    ubuntu@ubuntu:~$ sudo ifconfig eth1 192.168.0.1
    ubuntu@ubuntu:~$ sudo iptables -A FORWARD -o eth0 -i eth1 -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
    ubuntu@ubuntu:~$ sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    ubuntu@ubuntu:~$ sudo iptables -A POSTROUTING -t nat -j MASQUERADE
    ubuntu@ubuntu:~$ sudo iptables-save | sudo tee /etc/iptables.sav
    # Generated by iptables-save v1.4.4 on Thu Mar  3 11:29:03 2011
    *nat
    :PREROUTING ACCEPT [1:168]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [1:52]
    -A POSTROUTING -j MASQUERADE 
    COMMIT
    # Completed on Thu Mar  3 11:29:03 2011
    # Generated by iptables-save v1.4.4 on Thu Mar  3 11:29:03 2011
    *filter
    :INPUT ACCEPT [9:846]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [12:1144]
    -A FORWARD -s 192.168.0.0/24 -i eth1 -o eth0 -m conntrack --ctstate NEW -j ACCEPT 
    -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
    COMMIT
    # Completed on Thu Mar  3 11:29:03 2011
    ubuntu@ubuntu:~$ sudo nano /etc/rc.local
    ubuntu@ubuntu:~$ sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
    ubuntu@ubuntu:~$ sudo nano /etc/sysctl.conf
    ubuntu@ubuntu:~$
    the iptables file is the one in the code a few lines up.

    On my Windows box I have manually set all the connection details on the wireless because that's how I connect to the router:
    IP: 192.168.0.4
    Subnet mask: 255.255.255.0
    Def GW:192.168.0.1
    DNS: 82.....
    82.....

    On the Windows computer the Internet works but only on some websites like Google or Yahoo...but just a few...for the others it keeps waiting for the website...like facebook (which is not down!).

    From cmd in on the windows machine:
    If I ping facebook it tells me the ip and comes back ok with like 70ms in response.
    If I tracert facebook it goes to all the steps and gets there ok, and says all the hops true..

    But on the browser the pages don't show at all....

    On the Linux box everything works perfect..., all websites open in a second...

    What have I done wrong??

    Thank you in advance for your assistance.
    Last edited by anduweb; March 3rd, 2011 at 07:06 PM. Reason: solved

  2. #2
    Join Date
    Mar 2011
    Beans
    6

    Re: Not all websites work with iptables, ubuntu 10.04

    I found out somewhere on the web that this might be a MTU issue..
    Because PPPoE uses 1492 and eth1 uses 1500...
    I changed those and still it doesn't work..maybe I've done something wrong..
    Any ideas?

  3. #3
    Join Date
    Dec 2007
    Location
    Netherlands
    Beans
    73
    Distro
    Ubuntu Studio 12.04 Precise Pangolin

    Re: Not all websites work with iptables, ubuntu 10.04

    Hello anduweb,
    Before getting into commands and stuff, can you tell us the brand and exact type and version of the router you have?
    As far as i can tell you're doing nothing wrong here, so i'm expecting it to be a router-error since you also cannot visit some sites in windows. There are a few tricks to get the old firmware back depending on type and brand.

  4. #4
    Join Date
    Mar 2011
    Beans
    6

    Re: Not all websites work with iptables, ubuntu 10.04

    Found the solution.
    just type this in your teminal:

    iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    Why?

    Clamping the MSS via IPTABLES:

    As mentioned above for PPPoE users, some ISPs and WWW sites filter critical ICMP packets like MTU Path Discovery. Because of this, many users might find more Internet sites work but others hang or work poorly. Fortunately, recent IPTABLES have added PMTU Clamping support which should help you. If your using IPTABLES and think you're hitting this issue, try adding the following line to the end of your rc.firewall-iptables ruleset. It should be noted that there is no PMTU clamping support in IPCHAINS.

    Code:
    iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    Thank you : http://tldp.org/HOWTO/IP-Masquerade-...tu-issues.html

  5. #5
    Join Date
    Dec 2007
    Location
    Netherlands
    Beans
    73
    Distro
    Ubuntu Studio 12.04 Precise Pangolin

    Re: Not all websites work with iptables, ubuntu 10.04

    Great info for all!

  6. #6
    Join Date
    Mar 2011
    Beans
    8

    Re: Not all websites work with iptables, ubuntu 10.04

    Magnificent, exactly what I was looking for! Thank you!

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •