RE: Masquarede stalls?

RE: Masquarede stalls?

[Jason Opperisano]

> Unfortunately "tcpdump -n -nn -p -i ppp0 icmp" gives nothing (I hope i did it well :)).
> (what is -nn ? I cannot find that in the manpage.)

       -n     Don't convert host addresses to names.   This  can  be  used  to
              avoid DNS lookups.

       -nn    Don't convert protocol and port numbers etc. to names either.

guess that depends on the specific tcpdump you have...

>
> Are you sure this is a ICMP related problem? I can ping everything very quickly and correctly from the internal net. The things go wrong somewhere during the connections. :-( However you must be right, im not guru.
>

it's not an ICMP problem--it's a TCP problem.  the error message that tells you there is a TCP problem is an ICMP packet, however...

>
> And whats  that clamp-mss-to-mtu thing ? :)
>

you can try adding:

  iptables -I FORWARD -i $INTERNAL_IF -p tcp --syn -j TCPMSS --clamp-mss-to-pmtu
-OR-
  iptables -I FORWARD -i $INTERNAL_IF -p tcp --syn -j TCPMSS --set-mss 1400

to your test scenario to see if that fixes your problem.  if i recall correctly, MSS = MTU - 40.  if you have an MTU issue--you're best bet is to play around with tcpdump and different values of "--set-mss" until you don't have the problem anymore (unless "--clamp-mss-to-pmtu" magically works for you--it didn't for me).

-j

Re: Masquarede stalls?

[Mészáros Gergely]

Thank you  ! It wooorks !

That clamp-mss magic worked for me, so I consider myself lucky. ^^ 

>   iptables -I FORWARD -i $INTERNAL_IF -p tcp --syn -j TCPMSS --clamp-mss-to-pmtu

Great!

If it would be in the mangle table, i would dare to say i understand what it does,
but this case ... how can it send a larger packet in a smaller one? magic :)

I tried Anthony's mangle version also but something must be missing here to make it work: 
iptables -t mangle -A POSTROUTING -o EXTIF -j TCPMSS --clamp-mss-to-mtu
iptables v1.2.9: Unknown arg `--clamp-mss-to-mtu'
Mabbe modules? Or I misspelled it? 

However it works, so i'm happy.
Thank you very much both of you, gurus ! :)
If you come to Budapest, you are my guest for a beer ! 

1 MonK

Re: Masquarede stalls?

[Meszaros Gergely]

Thank you  ! It wooorks !

That clamp-mss magic worked for me, so I consider myself lucky. ^^ 

>   iptables -I FORWARD -i $INTERNAL_IF -p tcp --syn -j TCPMSS --clamp-mss-to-pmtu

Great!

If it would be in the mangle table, i would dare to say i understand what it does,
but this case ... how can it send a larger packet in a smaller one? magic :)

I tried Anthony's mangle version also but something must be missing here to make it work: 
iptables -t mangle -A POSTROUTING -o EXTIF -j TCPMSS --clamp-mss-to-mtu
iptables v1.2.9: Unknown arg `--clamp-mss-to-mtu'
Mabbe modules? Or I misspelled it? 

However it works, so i'm happy.
Thank you very much both of you, gurus ! :)
If you come to Budapest, you are my guest for a beer ! 

1 MonK

Re: Masquarede stalls?

[Alistair Tonner]

On August 10, 2004 04:24 pm, Meszaros Gergely wrote:
> Thank you  ! It wooorks !
>
> That clamp-mss magic worked for me, so I consider myself lucky. ^^
>
> >   iptables -I FORWARD -i $INTERNAL_IF -p tcp --syn -j TCPMSS
> > --clamp-mss-to-pmtu
>
> Great!
>
> If it would be in the mangle table, i would dare to say i understand what
> it does, but this case ... how can it send a larger packet in a smaller
> one? magic :)
>
> I tried Anthony's mangle version also but something must be missing here to
> make it work: iptables -t mangle -A POSTROUTING -o EXTIF -j TCPMSS
> --clamp-mss-to-mtu iptables v1.2.9: Unknown arg `--clamp-mss-to-mtu'
> Mabbe modules? Or I misspelled it?

	Nope, we're missing a p there
iptables -t mangle -A POSTROUTING -O ${EXTINF} -j TCPMSS --clamp-mss-to-pmtu
	                                                 
	whoopsy.

	Alistair
>
> However it works, so i'm happy.
> Thank you very much both of you, gurus ! :)
> If you come to Budapest, you are my guest for a beer !
>
> 1 MonK

Re: Masquarede stalls?

[Antony Stone]

On Tuesday 10 August 2004 11:35 pm, Alistair Tonner wrote:

> On August 10, 2004 04:24 pm, Meszaros Gergely wrote:
> > Thank you  ! It wooorks !
> >
> > That clamp-mss magic worked for me, so I consider myself lucky. ^^
> >
> > >   iptables -I FORWARD -i $INTERNAL_IF -p tcp --syn -j TCPMSS
> > > --clamp-mss-to-pmtu
> >
> > Great!
> >
> > If it would be in the mangle table, i would dare to say i understand what
> > it does, but this case ... how can it send a larger packet in a smaller
> > one? magic :)
> >
> > I tried Anthony's mangle version also but something must be missing here
> > to make it work: iptables -t mangle -A POSTROUTING -o EXTIF -j TCPMSS
> > --clamp-mss-to-mtu iptables v1.2.9: Unknown arg `--clamp-mss-to-mtu'
> > Mabbe modules? Or I misspelled it?
>
> 	Nope, we're missing a p there
> iptables -t mangle -A POSTROUTING -O ${EXTINF} -j TCPMSS
> --clamp-mss-to-pmtu
>
> 	whoopsy.

Yes, sorry about that :)   I should be more careful when typing the really 
weird netfilter options.

Antony.

-- 
"I don't mind that he got rich, but I do mind that he peddles himself as the 
ultimate hacker and God's own gift to technology when his track record 
suggests that he wouldn't know a decent design idea or a well-written hunk of 
code if it bit him in the face. He's made his billions selling elaborately 
sugar-coated crap that runs like a pig on [sedatives], crashes at the drop of 
an electron, and has set the computing world back by at least a decade."

 - Eric S Raymond, about Bill Gates

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Masquarede stalls?

[Alistair Tonner]

On August 10, 2004 04:22 pm, Mészáros Gergely wrote:
> Thank you  ! It wooorks !
>
> That clamp-mss magic worked for me, so I consider myself lucky. ^^
>
> >   iptables -I FORWARD -i $INTERNAL_IF -p tcp --syn -j TCPMSS
> > --clamp-mss-to-pmtu
>
> Great!
>
> If it would be in the mangle table, i would dare to say i understand what
> it does, but this case ... how can it send a larger packet in a smaller
> one? magic :)

	Actually we don't stuff a larger packet in a smaller one.  
	The system that has this rule can ensure that its neighbours
	use the correct packet  size  ~~ Although I am not aware of the 
	specifics, I believe that there (is/are) more than one mechanism
	for managing this.

	Alistair...

	

	Anyone:
	Does this TCPMSS in mangle table actually mangle packet contents during the 
	TCP handshake and forcibly set the MSS in the handshake packets??
	(sorry -- tired tonight and can't figure the relevant lines in the source -- 
	other half had annual celebratory day today and we've had a nice night out)


>
> I tried Anthony's mangle version also but something must be missing here to
> make it work: iptables -t mangle -A POSTROUTING -o EXTIF -j TCPMSS
> --clamp-mss-to-mtu iptables v1.2.9: Unknown arg `--clamp-mss-to-mtu'
> Mabbe modules? Or I misspelled it?
>
> However it works, so i'm happy.
> Thank you very much both of you, gurus ! :)
> If you come to Budapest, you are my guest for a beer !
>
> 1 MonK

Re: Masquarede stalls?

[Alistair Tonner]

On August 10, 2004 03:18 pm, Antony Stone wrote:
> On Tuesday 10 August 2004 7:56 pm, Meszaros Gergely wrote:
> > Dear Antony and Jason! Many thanks for the quick response! I'm
> > enthralled.
> >
> > Unfortunately "tcpdump -n -nn -p -i ppp0 icmp" gives nothing (I hope i
> > did it well :)). (what is -nn ? I cannot find that in the manpage.)
> >
> > Are you sure this is a ICMP related problem? I can ping everything very
> > quickly and correctly from the internal net. The things go wrong
> > somewhere during the connections. :-( However you must be right, im not
> > guru.
> >
> >
> > Anthony, my ext interface is the following:
> >
> > ppp0      Link encap:Point-to-Point Protocol
> >           inet addr:xxx.xxx.xxx.xxx  P-t-P:192.168.0.254
> > Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492
> > Metric:1 RX packets:2255 errors:0 dropped:0 overruns:0 frame:0
> >           TX packets:3300 errors:0 dropped:0 overruns:0 carrier:0
> >           collisions:0
> >           RX bytes:133634 (130.5 KiB)  TX bytes:1083394 (1.0 MiB)
> >
> > MTU: 1492.  But I dunno it is bad or good :)
>
> That means you cannot put packets bigger than 1492 bytes down the
> interface.
>
> If you have stupid internal client machines (eg: Windows O/S) which don't
> understand that MTUs between client and server can be less than the local
> subnet, then you will not be able to communicate from those clients without
> changing the MSS (maximum segment size) at the firewall.
>
> > Its less than 1500 bytes, however by only 8. Its bad?
>
> 8 bytes is enough to cause the problem.
>
> > And whats  that clamp-mss-to-mtu thing ? :)
>
> iptables -t mangle -A POSTROUTING -o EXTIF -j TCPMSS --clamp-mss-to-mtu
>
> Regards,
>
	Again Antony -- bang on the money as always Thanks for all your work.


	For the record, I use this rule *always* -- but then I don't deal with really 
large LANs behind the firewall -- anyone care to comment on the affect of 
this in large bandwidth implementations?

	
	Alistair Tonner


	Please note that I have cc: Oskar directly -- if I have done something 
brutally wrong in the below, beat me over the head with a LART and let Oskar 
know I haven't the faintest clue what I'm doing *grin*


	For Oskar Andreasson ---->

	Oskar:

	For iptables-tutorial 6.5 section "Targets Jumps"

	6.5.16 TCPMSS targe

		This target takes the options --clamp-mss-to-mtu or --set-mss (value)
	The objective of this target is to ensure that packets are no larger than a 
	certain MSS (Maximum Segment Size) or (Maximum Transfer Unit - 40 )
	for a specific route.  This is commonly used when firewalling a LAN made up 
	of systems that may not correctly perform Path MTU discovery, or may not be
	recieving ICMP messages that indicate there is an Path MTU problem.  
	It may be advantageous to put rules with this target in the mangle
	POSTROUTING table, with filters to specific output devices i.e.

	iptables -A POSTROUTING -t mangle -o ${EXTERNAL_INTERFACE} -j TCPMSS  \ 
--clamp-mss-to-pmtu

	in order to ensure that your client connection(s) packet(s) will always
	fit in the MTU of the device which they go out to the internet through.

	when used:

	iptables -A POSTROUTING -t mangle -o ${ANY_DEVICE} -j TCPMSS \
--set-mss 596

	it will lock the Maximum Segment Size for that device.  This is useful when 
tunneling TCP/IP through other protocols where the frame size may be smaller 
or larger than 1500 bytes.  Please note that MSS is not the packet size, but 
rather MTU - 40 bytes.
	
	This cures the problems that many folks have had with DSL (typical MTU of DSL 
connections is 1492 -- 1500 byte ethernet frame - 8 byte ppp packet header.)  
If your connections through the firewall start normally but hang abruptly 
without returning complete data, you might look into this feature. 


	

Re: Masquarede stalls?

[Antony Stone]

On Tuesday 10 August 2004 7:56 pm, Meszaros Gergely wrote:

> Dear Antony and Jason! Many thanks for the quick response! I'm enthralled.
>
> Unfortunately "tcpdump -n -nn -p -i ppp0 icmp" gives nothing (I hope i did
> it well :)). (what is -nn ? I cannot find that in the manpage.)
>
> Are you sure this is a ICMP related problem? I can ping everything very
> quickly and correctly from the internal net. The things go wrong somewhere
> during the connections. :-( However you must be right, im not guru.
>
>
> Anthony, my ext interface is the following:
>
> ppp0      Link encap:Point-to-Point Protocol
>           inet addr:xxx.xxx.xxx.xxx  P-t-P:192.168.0.254 
> Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492 
> Metric:1 RX packets:2255 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:3300 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0
>           RX bytes:133634 (130.5 KiB)  TX bytes:1083394 (1.0 MiB)
>
> MTU: 1492.  But I dunno it is bad or good :)

That means you cannot put packets bigger than 1492 bytes down the interface.

If you have stupid internal client machines (eg: Windows O/S) which don't 
understand that MTUs between client and server can be less than the local 
subnet, then you will not be able to communicate from those clients without 
changing the MSS (maximum segment size) at the firewall.

> Its less than 1500 bytes, however by only 8. Its bad?

8 bytes is enough to cause the problem.

> And whats  that clamp-mss-to-mtu thing ? :)

iptables -t mangle -A POSTROUTING -o EXTIF -j TCPMSS --clamp-mss-to-mtu

Regards,

Antony.

-- 
Late in 1972 President Richard Nixon announced that the rate of increase of 
inflation was decreasing.   This was the first time a sitting president used 
a third derivative to advance his case for re-election.

 - Hugo Rossi, Notices of the American Mathematical Society

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Masquarede stalls?

[Meszaros Gergely]

Dear Antony and Jason! Many thanks for the quick response! I'm enthralled.

Unfortunately "tcpdump -n -nn -p -i ppp0 icmp" gives nothing (I hope i did it well :)).
(what is -nn ? I cannot find that in the manpage.)

Are you sure this is a ICMP related problem? I can ping everything very quickly and correctly from the internal net. The things go wrong somewhere during the connections. :-( However you must be right, im not guru.


Anthony, my ext interface is the following: 

ppp0      Link encap:Point-to-Point Protocol  
          inet addr:xxx.xxx.xxx.xxx  P-t-P:192.168.0.254  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:2255 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3300 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 
          RX bytes:133634 (130.5 KiB)  TX bytes:1083394 (1.0 MiB)

MTU: 1492.  But I dunno it is bad or good :)

Its less than 1500 bytes, however by only 8. Its bad? 
And whats  that clamp-mss-to-mtu thing ? :)


thank you !

1 MonK

RE: Masquarede stalls?

[Jason Opperisano]

> Hi!
>
> Are there any issues about netfilter in kernel 2.4.25 ?
>
> I tried to make a masquerading setup, but all connections from the internal network what is larger than a minimal size are stalls, and just waits waits waits...
>
> What can it be?
>
> My ultra-simplified ipfilter (for debugging purpose) is:
>
>       iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>       iptables -A FORWARD -j ACCEPT
>
>
> . I have a simple two-network-card-gateway server and 192.168.* internal net setup.
> . from the server everything is perfect.
> . from the internal net, one can ping everything correctly (masquerade is working, just buggy)
> . from the internal net every connection initialised correctly, however
>       large enough (larger than 1 packet?) data is buggy and stalls.
>
> So, i can reach very short homepages, and can ping from the int net but
> everything else will stall.

those symptoms point to an MTU issue.  the way to check this would be to tcpdump on the outside interface of your firewall for ICMP unreachable messages (tcpdump -n -nn -p -i ppp0 icmp)...look for something along the lines of "need to frag, but DF bit is set"  if you see that, you need to lower the MTU/MSS of your clients, either directly on the clients or with some mangling on the firewall.

-j

Re: Masquarede stalls?

[Antony Stone]

On Tuesday 10 August 2004 7:23 pm, Meszaros Gergely wrote:

> Hi!
>
> Are there any issues about netfilter in kernel 2.4.25 ?
>
> I tried to make a masquerading setup, but all connections from the internal
> network what is larger than a minimal size are stalls, and just waits waits
> waits...
>
> What can it be?

What is the MTU on your external interface?

ifconfig should tell you.

You may need to use clamp-mss-to-mtu if it's less than 1500 bytes.

Regards,

Antony.

-- 
Microsoft may sell more software than any other company, but McDonald's sell 
more burgers than any other company, and I think the other similarities are 
obvious...

                                                     Please reply to the list;
                                                           please don't CC me.

Masquarede stalls?

[Meszaros Gergely]

Hi!

Are there any issues about netfilter in kernel 2.4.25 ?

I tried to make a masquerading setup, but all connections from the internal network what is larger than a minimal size are stalls, and just waits waits waits...

What can it be? 

My ultra-simplified ipfilter (for debugging purpose) is:

	iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
	iptables -A FORWARD -j ACCEPT 


. I have a simple two-network-card-gateway server and 192.168.* internal net setup.
. from the server everything is perfect.
. from the internal net, one can ping everything correctly (masquerade is working, just buggy)
. from the internal net every connection initialised correctly, however 
	large enough (larger than 1 packet?) data is buggy and stalls.

So, i can reach very short homepages, and can ping from the int net but 
everything else will stall.

Can you help me?

thx,
1 MonK / Gergely Mészáros

Masquarede stalls?

[Mészáros Gergely]

Hi!

Are there any issues about netfilter in kernel 2.4.25 ?

I tried to make a masquerading setup, but all connections from the internal network what is larger than a minimal size are stalls, and just waits waits waits...

What can it be? 

My ultra-simplified ipfilter (for debugging purpose) is:

	iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
	iptables -A FORWARD -j ACCEPT 


. I have a simple two-network-card-gateway server and 192.168.* internal net setup.
. from the server everything is perfect.
. from the internal net, one can ping everything correctly (masquerade is working, just buggy)
. from the internal net every connection initialised correctly, however 
	large enough (larger than 1 packet?) data is buggy and stalls.

So, i can reach very short homepages, and can ping from the int net but 
everything else will stall.

Can you help me?

thx,
1 MonK / Gergely Mészáros