help about NAT and ISP - without attachments

Taylor, Grant gtaylor at riverviewtech.net
Wed Aug 31 22:54:52 CEST 2005


Try adding a rule to your FORWARD chain to make sure that the TCP MSS value is not the problem.  I know that you said you are not changing the value, but give this a try to see if it fixes your problem.

iptables -t filter -A FORWARD -j TCPMSS --clamp-mss-to-pmtu

I don't think that the missing packets is the culprit of your problem as this is the very nature of TCP (retransmission of unacknowledged packets).



Grant. . . .

Giacomo wrote:
> Good morning, I'm Giacomo Strangolino from Italy.
> 
> I finished developing an ipv4 packet filter with NAT/MASQUERADING and
> have been
> testing it
> for some time with success connecting from home to my ISP named "libero".
> 
> Then i changed ISP to another one, called "telecom" and with great surprise
> i discovered that
> images from sites and also sites failed to load.
> 
> So now, when i call an ISP all works fine, when i call the other, things go
> wrong.
> 
> I NAT machines behind my firewall changing only ips and ports, and
> recalculating checksum (ip and tcp/udp)
> to adjust such changes.
> I do not touch any other field as window size or seq number or ack, since
> the only things i manipulate are
> addresses and ports.
> 
> I was wondering what i could do to solve, since iptables and ipfw+natd on
> freeBSD or winXP sp2 work fine
> with this ISP...
> 
> Tweaking with ethereal i found that probably sometimes a tcp segment gets
> lost.
> 
> My firewall is a 2.6.12 kernel module which registers with netfilter hooks.
> A userspace program sends rules to
> kernel via netlink.
> 
> I thank you if you could help me find the way to fix the problem or
> understand what could be wrong with an
> ISP network and anyway work fine with the other.
> 
> Also any indication of where in iptables source is solved such problem
> would be appreciated.
> 
> I attach a corrupted image and the ethereal capture related to it if it
> could be useful-
> 
> Thanks a lot in advance.
> 
> Giacomo S. Udine, Italy
> 
> 




More information about the netfilter mailing list