the wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello. This is the the first time I'm dealing with wifi and the second
time with NAT.
I have a server (access point) with a ppp0 interface (internet), eth0,
wlan0, tun0 and sit0. A dhcp server is listening on wlan0 and provides
local ip addresses, dns (= my isp dns) and router (= server wlan0 ip
address). Nat is configured on the server like this:
# Generated by iptables-save v1.4.20 on Fri Jan 10 21:34:26 2014
*raw
:PREROUTING ACCEPT [1000941:974106726]
:OUTPUT ACCEPT [775261:165606146]
COMMIT
# Completed on Fri Jan 10 21:34:26 2014
# Generated by iptables-save v1.4.20 on Fri Jan 10 21:34:26 2014
*nat
:PREROUTING ACCEPT [888:45008]
:INPUT ACCEPT [63:9590]
:OUTPUT ACCEPT [442:27137]
:POSTROUTING ACCEPT [36:1728]
- -A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Fri Jan 10 21:34:26 2014
# Generated by iptables-save v1.4.20 on Fri Jan 10 21:34:26 2014
*mangle
:PREROUTING ACCEPT [1000941:974106726]
:INPUT ACCEPT [951658:947497602]
:FORWARD ACCEPT [39262:26279024]
:OUTPUT ACCEPT [775261:165606146]
:POSTROUTING ACCEPT [814621:191890787]
COMMIT
# Completed on Fri Jan 10 21:34:26 2014
# Generated by iptables-save v1.4.20 on Fri Jan 10 21:34:26 2014
*filter
:INPUT ACCEPT [371:35432]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [33994:3725352]
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A FORWARD -i wlan0 -o ppp0 -j ACCEPT
- -A FORWARD -i ppp0 -o wlan0 -j ACCEPT
- -A FORWARD -i eth0 -j DROP
- -A FORWARD -i tun0 -j DROP
COMMIT
# Completed on Fri Jan 10 21:34:26 2014
I have a client that connects to my wifi, obtains an address via dhcp
and ... can't acces almost all of internet sites.
I was able to ping any web service I could think of, but I was able to
use only google/youtube. I can do text/ image serches on google and
can open youtube(but videos aren't loading). On other services wget
says connection established, but it can't retrieve anything. if I ssh
to an external server (not my nat server) I can ls, but if I try to ls
- -alh I receive only a half of the files list and the terminal hangs
after that.
If I do $python -m http.server on my server I can do file transfers
and open html pages on my client. I have tried this
https://wiki.archlinux.org/index.php/Software_Access_Point#WLAN_is_very_slow
Also I have tried to insert LOG target in FORWARD of filter.
It showed that I send way more pakets(>10) to a http server than I
receive(~2-4).
The client is fine and behaves normally with wifi, used it many times.
Thanks for your time.
It's probable that you need to make use of MSS clamping. Try the
following rule:
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j
TCPMSS --clamp-mss-to-pmtu
--Kerin
