> # Begin script > > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > # Turn on IP forwarding > echo 1 > /proc/sys/net/ipv4/ip_forward > > # End script > > These are the strange behavior, that occurs from a computer in the > LAN (and not from the firewall) : > > - Can access some http website (www.lemonde.fr www.google.com ...) > - Can't access some http website (www.yahoo.fr www.meteo-france.fr > www.kernel.org ...) > > I can ping all these server. > > My config : > > Firewall : > > Processor : 486 DX 33 (is it enough ?) > Connection type : ADSL (France telecom, modem ECI) on ppp0 with pppoe in kernel >mode > Kernel : - Linux 2.4.18 + patch-o-matic 1.2.6a > changing back to a fresh Linux 2.4.18 didn't change my problems > IPtable ver : 1.2.6a > LAN device : NE2000 (10BASET) compatible device on eth0 > ECN support doesn't change anything (it's currently off) > Syncookie are off too (and didn't change anything too) > > LAN computer : > > Linux or win2000, with bigger config than Firewall connected on 100 > Mbits network device. > DNSes are those of the provider or an internal DNS. (that doesn't > change anything to my problems) > > I'm quite surprised on this behavior, because my last firewall was > under ipchains, and worked fine. (i'm currently switching back and on > between the 2 firewall to test the configurations). The ipchains script > used on my previous working firewall was the one Roaring penguin > provides in his PPPoe scripts for ADSL dynamic IP connection. > > Note 1: changing MASQUERADE to SNAT was tested and worked as MASQUERADED > with the same buggy behavior. > Note 2: of course, my policies are set to ACCEPT all packets.
Well, I've found the solution. It's in the forgotten PPPoe manual in kernel mode of 2.4.x (i've found it in google's cache, it had disappeared from the referenced link.) It links to this page : http://www.hgfelger.de/mss/mss.html , which is quite interesting to read when you have an ADSL Modem and you have problems as those mentionned above with kernel-mode PPPoe driver. It tells to add only one line to the firewall script : iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu if this isn't magic, i'm a toaster :)) This work really fine for me now. Could somebody comment this line for my education ? (or give a quick link to explain, or give the state-of-the-art on the TCPMSS target) Merci a tous, LAB Valentin
