help about NAT and ISP - without attachments
gtaylor at riverviewtech.net
Wed Aug 31 22:54:52 CEST 2005
Try adding a rule to your FORWARD chain to make sure that the TCP MSS value is not the problem. I know that you said you are not changing the value, but give this a try to see if it fixes your problem.
iptables -t filter -A FORWARD -j TCPMSS --clamp-mss-to-pmtu
I don't think that the missing packets is the culprit of your problem as this is the very nature of TCP (retransmission of unacknowledged packets).
Grant. . . .
> Good morning, I'm Giacomo Strangolino from Italy.
> I finished developing an ipv4 packet filter with NAT/MASQUERADING and
> have been
> testing it
> for some time with success connecting from home to my ISP named "libero".
> Then i changed ISP to another one, called "telecom" and with great surprise
> i discovered that
> images from sites and also sites failed to load.
> So now, when i call an ISP all works fine, when i call the other, things go
> I NAT machines behind my firewall changing only ips and ports, and
> recalculating checksum (ip and tcp/udp)
> to adjust such changes.
> I do not touch any other field as window size or seq number or ack, since
> the only things i manipulate are
> addresses and ports.
> I was wondering what i could do to solve, since iptables and ipfw+natd on
> freeBSD or winXP sp2 work fine
> with this ISP...
> Tweaking with ethereal i found that probably sometimes a tcp segment gets
> My firewall is a 2.6.12 kernel module which registers with netfilter hooks.
> A userspace program sends rules to
> kernel via netlink.
> I thank you if you could help me find the way to fix the problem or
> understand what could be wrong with an
> ISP network and anyway work fine with the other.
> Also any indication of where in iptables source is solved such problem
> would be appreciated.
> I attach a corrupted image and the ethereal capture related to it if it
> could be useful-
> Thanks a lot in advance.
> Giacomo S. Udine, Italy
More information about the netfilter