Package: iptables Version: 1.4.2-6 Severity: important Running a stock Debian 5.0.3 AMD64 install I'm seeing connectivity problems with an iptables ruelset that works 100% on both Debian 4 (etch) and Ubuntu 9.04. Under Lenny I am still able to reach internet addresses using ping and nslookup; however http traffic in particular isn't being masqueared properly to every website I've tried.
Looking at a tcpdump of my http requests I see that the intial syn packet is accepted and an ack returned by the web server; however after that it looks like TCP segments are being lost and the client machines behind the masquerading machine keeps sending duplicate acks over and over without getting a meaningful response. Again I feel this is an iptables bug (or kernel module bug?) in Lenny because the exact same ruleset on the exact same hardware on the exact same network work flawlessly on Debian 4.0 and Ubuntu 9.04. Unless there is something that has changed between Debian releases that I was unable to find documentation on. My ruleset consists of 5 entries that should set it up to perform NAT over eth0: #Flush all existing rules iptables -F; iptables -t nat -F;iptables -t mangle -F #Configure for masquerading over eth0 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE #Allow forwarding of ipv4 packets echo 1 > /proc/sys/net/ipv4/ip_forward #Allow established/related connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Allow connections from everyone but the internet (eth0) iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT This behavior has been reproducable across multiple OS installs. Again I get zero packet loss when I ping an internet address; however that exact same address will fail to load any webpages via the http protocol. -- System Information: Debian Release: 5.0.3 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages iptables depends on: ii libc6 2.7-18lenny2 GNU C Library: Shared libraries iptables recommends no packages. iptables suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
