NAT help?

Alexander Dalloz ad+lists at
Sun Sep 18 23:07:57 UTC 2005

Am So, den 18.09.2005 schrieb Murray, WJ (Bill) um 23:32:

>   Hello list,
>             I have a small problem with my home network - maybe someone
> could help?
>    I have a firewall/router doing NAT, which works for machines behind
> it 99% of the time, but some websites are inaccessible.
>   e.g.
>  If I look at the ethereal logs for all interfaces on the router box,
> and run firefox on the firewall machine itself I see an [ACK] packet
> from port 33439 followed by a [SYN] from 33440. And then the rest
> happens. Doing the same thing on a machine inside I see that the
>  the TCP packet [ACK] first going in, as from [my-local-address] to
> [] and then out as [my-global-address] to
> [], both from port 35598 but no [SYN] packet is sent.  
> It just hangs at that point.
>    It wouldn't be too bad, but many financial WWW sites hang here.
> konqueror hangs too, so it seems to be NAT related. My rules are simple:
> iptables -F; iptables -t nat -F; iptables -t mangle -F
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
> iptables -P INPUT DROP   #only if the first two are succesful
> iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT
> Plus 1 or two specific ports accepted.
>   Can anyone see an obvious problem?
>       Thank you,
>               Bill

Analyzing from your above iptables rules you are very certainly shooting
in your own feet. Why? Because you block ICMP. Then remote sites i.e.
blocking ICMP their own - like - can be unreachable as
both systems can not communicate about the correct MTU for instance
(PMTU broken). So allow ICMP traffic on your ppp0 device - and I bet
your problem is gone.


Alexander Dalloz | Enger, Germany | GPG 0xB366A773
legal statement:
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp 
Serendipity 01:00:10 up 6:10, 18 users, 0.10, 0.21, 0.18 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <>

More information about the fedora-list mailing list