RE: [LARTC] Re: Debian Sarge Server with iptables behind D-Link Router
very good. thank you -> -> -> Hello, -> -> Le Mercredi 1 Février 2006 23:11, LinuXKiD a écrit : -> > Some times, I fail to access some HTTPS URLs or MSN service -> > if you (dlink or router) miss manipulate mtu -> -> Did you try the TCPMSS netfilter target ? -> -> For instance : -> -A POSTROUTING -o ppp0 -p tcp --tcp-flags SYN,RST SYN -m tcpmss -> --mss \ ->1400:1536 -j TCPMSS --clamp-mss-to-pmtu -> -A POSTROUTING -o ppp0 -j MASQUERADE -> -> As you are probably using pppoe on the telephon loop, the -> maximum transmit -> unit cannot reach its maximum 1500 bytes. -> The pppoe header takes 4 bytes. -> -> You should also let some icmp packets get in in order to have -> pmtu discovery -> effective. -> -> HTH, -> -> > -> > andres -> > -> > -> > -> -> > -> Hi, -> > -> -> > -> > try next: -> > -> > - Put d-link ADSL as "modem" -> > -> > - Make PPPoE call under Linux -> > -> -> > -> Yes I've already tried this - that's my current -> configuration since one -> > -> week;) -> > -> -> > -> But I want to understand why it's not possible to use the -> D-Link as a -> > -> router, and for what kind of problem the tcpdump results stand for. -> > -> -> > -> Ralph -> > -> -> > -> > -> > -> > -> > -> > -> > -> > -> -> > -> > -> Hi, -> > -> > -> -> > -> > -> I have the shown (end of this post) net work configuration. -> > -> > -> -> > -> > -> In a "few" words: My Debian Sarge server is connected to a -> > -> D-Link ADSL -> > -> > -> Router (DSL-562T). DMZ is enabled for the Debian Sarge IP -> > -> on the Router. -> > -> > -> -> > -> > -> My Linux server has two NIC's. -> > -> > -> ethlan = internal Net -> > -> > -> ethdsl = external -> D-Link -> > -> > -> -> > -> > -> My Linux server is configured to make NAT via iptables. -> > -> > -> -> > -> > -> Current state - what's working: -> > -> > -> - Access from internal LAN to Internet is working (http, -> > -> https, ftp, etc) -> > -> > -> - Access inside the LAN is working -> > -> > -> - Access inside the LAN to the linux server is working (http, -> > https, -> > -> IMAP and SSH) -> > -> > -> - Access from outside the LAN (from internet) to the -> Linux server -> > is -> > -> working for https, IMAP and SSH -> > -> > -> -> > -> > -> ***BUT***: -> > -> > -> Same Problem simular for SSH, https and IMAP: -> > -> > -> On an internet browser inside the lan I can't access the -> > -> webserver on -> > -> > -> the Linux Server when I enter the external URL of the -> Linux server -> > -> > -> (dynDNS domain name). -> > -> > -> The https-page won't be opened. A simple ping to the linux -> > -> server with -> > -> > -> the same dynDSN domain name works. Trying to enter the -> > -> external IP of -> > -> > -> the linux server in the browser also won't work. -> > -> > -> The page won't be opened in the browser. -> > -> > -> -> > -> > -> Die Seite wird im Browser dann nicht geöffnet. -> > -> > -> Via telnet auf https ider ssh oder IMAP wird ebenso keine -> > Verbindung -> > -> aufgebaut, wenn ich als Ziel den dynDSN Domainnamen -> > angebe. -> > -> Wie gesagt, gebe ich statt des dynDNS Domainnamens den -> > lokalen Namen -> > -> oder die lokale IP ein, dann geht es. -> > -> > -> -> > -> > -> iptables schould log dropped pakets. But there aren't any -> > -> > -> dropped packets. -> > -> > -> Ifconfig also does not show any errors (dropped packets) -> > -> for ethlan / -> > -> > -> ethdsl. -> > -> > -> -> > -> > -> So I've tried to understand what tcpdumd shows for -> port 443. But -> > I'm -> > -> bound to say that I'm absolutety not firm with tcpdump. -> > -> > -> Here's what tcpdump shows: -> > -> > -> -> > -> > -> -> > -> > -> tcpdump for port 443: -> > -> > -> Not working access from inside the lan to the servers -> > -> external Name / -> > -> > -> the servers external IP: -> > -> > -> => no connection -> > -> > -> -> > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S -> 1859848764:1859848764(0) win -> > -> > -> 65535 -> > -> > -> 18:43:41.477631 IP lp-java.linkpool.3491 > -> > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S -> 1859848764:1859848764(0) win -> > -> > -> 65535 -> > -> > -> 18:43:41.479358 IP p54BE15A1.dip0.t-ipconnect.de.https > -> > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1859848765 win 0 -> > -> > -> 18:43:41.967525 IP lp-java.linkpool.3491 > -> > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S -> 1859848764:1859848764(0) win -> > -> > -> 65535 -> > -> > -> 18:43:41.969239 IP p54BE15A1.dip0.t-ipconnect.de.https > -> > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 -> > -> > -> 18:43:42.468301 IP lp-java.linkpool.3491 > -> > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S -> 1859848764:1859848764(0) win -> > -> > -> 65535 -> > -> > -> 18:43:42.470116 IP p54BE15A1.dip0.t-ipconnect.de.https > -> > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 -> > -> > -> -> > -> > -> -> > -> > -> tcpdump for port 443: -> > -> > -> WORKING access from inside the lan to the servers INTERNAL -> > -> Name / the -> > -> > -> servers INT
Re: [LARTC] Re: Debian Sarge Server with iptables behind D-Link Router
Hello, Le Mercredi 1 Février 2006 23:11, LinuXKiD a écrit : > Some times, I fail to access some HTTPS URLs or MSN service > if you (dlink or router) miss manipulate mtu Did you try the TCPMSS netfilter target ? For instance : -A POSTROUTING -o ppp0 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss \ 1400:1536 -j TCPMSS --clamp-mss-to-pmtu -A POSTROUTING -o ppp0 -j MASQUERADE As you are probably using pppoe on the telephon loop, the maximum transmit unit cannot reach its maximum 1500 bytes. The pppoe header takes 4 bytes. You should also let some icmp packets get in in order to have pmtu discovery effective. HTH, > > andres > > > -> > -> Hi, > -> > -> > try next: > -> > - Put d-link ADSL as "modem" > -> > - Make PPPoE call under Linux > -> > -> Yes I've already tried this - that's my current configuration since one > -> week;) > -> > -> But I want to understand why it's not possible to use the D-Link as a > -> router, and for what kind of problem the tcpdump results stand for. > -> > -> Ralph > -> > -> > > -> > > -> > > -> > -> > -> > -> Hi, > -> > -> > -> > -> I have the shown (end of this post) net work configuration. > -> > -> > -> > -> In a "few" words: My Debian Sarge server is connected to a > -> D-Link ADSL > -> > -> Router (DSL-562T). DMZ is enabled for the Debian Sarge IP > -> on the Router. > -> > -> > -> > -> My Linux server has two NIC's. > -> > -> ethlan = internal Net > -> > -> ethdsl = external -> D-Link > -> > -> > -> > -> My Linux server is configured to make NAT via iptables. > -> > -> > -> > -> Current state - what's working: > -> > -> - Access from internal LAN to Internet is working (http, > -> https, ftp, etc) > -> > -> - Access inside the LAN is working > -> > -> - Access inside the LAN to the linux server is working (http, > https, -> > -> IMAP and SSH) > -> > -> - Access from outside the LAN (from internet) to the Linux server > is -> > -> working for https, IMAP and SSH > -> > -> > -> > -> ***BUT***: > -> > -> Same Problem simular for SSH, https and IMAP: > -> > -> On an internet browser inside the lan I can't access the > -> webserver on > -> > -> the Linux Server when I enter the external URL of the Linux server > -> > -> (dynDNS domain name). > -> > -> The https-page won't be opened. A simple ping to the linux > -> server with > -> > -> the same dynDSN domain name works. Trying to enter the > -> external IP of > -> > -> the linux server in the browser also won't work. > -> > -> The page won't be opened in the browser. > -> > -> > -> > -> Die Seite wird im Browser dann nicht geöffnet. > -> > -> Via telnet auf https ider ssh oder IMAP wird ebenso keine > Verbindung -> > -> aufgebaut, wenn ich als Ziel den dynDSN Domainnamen > angebe. -> > -> Wie gesagt, gebe ich statt des dynDNS Domainnamens den > lokalen Namen -> > -> oder die lokale IP ein, dann geht es. > -> > -> > -> > -> iptables schould log dropped pakets. But there aren't any > -> > -> dropped packets. > -> > -> Ifconfig also does not show any errors (dropped packets) > -> for ethlan / > -> > -> ethdsl. > -> > -> > -> > -> So I've tried to understand what tcpdumd shows for port 443. But > I'm -> > -> bound to say that I'm absolutety not firm with tcpdump. > -> > -> Here's what tcpdump shows: > -> > -> > -> > -> > -> > -> tcpdump for port 443: > -> > -> Not working access from inside the lan to the servers > -> external Name / > -> > -> the servers external IP: > -> > -> => no connection > -> > -> > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win > -> > -> 65535 > -> > -> 18:43:41.477631 IP lp-java.linkpool.3491 > > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win > -> > -> 65535 > -> > -> 18:43:41.479358 IP p54BE15A1.dip0.t-ipconnect.de.https > > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1859848765 win 0 > -> > -> 18:43:41.967525 IP lp-java.linkpool.3491 > > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win > -> > -> 65535 > -> > -> 18:43:41.969239 IP p54BE15A1.dip0.t-ipconnect.de.https > > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 > -> > -> 18:43:42.468301 IP lp-java.linkpool.3491 > > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win > -> > -> 65535 > -> > -> 18:43:42.470116 IP p54BE15A1.dip0.t-ipconnect.de.https > > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 > -> > -> > -> > -> > -> > -> tcpdump for port 443: > -> > -> WORKING access from inside the lan to the servers INTERNAL > -> Name / the > -> > -> servers INTERNAL IP: > -> > -> => Successful connection > -> > -> > -> > -> 18:45:38.773997 IP lp-java.linkpool.3492 > > -> lp-komodo.LINKPOOL.https: S > -> > -> 1505679381:1505679381(0) win 65535 > -> > -> 18:45:38.774478 IP lp-komodo.LINKPOOL.https > > -> lp-java.linkpool.3492: S > -> > -> 189223170:189223170(0) ack 1505679382 win 5840 -> 1460,nop,nop,sackOK> > -> > -> 18:45:38.774062 IP lp-java.linkpool
RE: [LARTC] Re: Debian Sarge Server with iptables behind D-Link Router
Some times, I fail to access some HTTPS URLs or MSN service if you (dlink or router) miss manipulate mtu andres -> -> Hi, -> -> > try next: -> > - Put d-link ADSL as "modem" -> > - Make PPPoE call under Linux -> -> Yes I've already tried this - that's my current configuration since one -> week;) -> -> But I want to understand why it's not possible to use the D-Link as a -> router, and for what kind of problem the tcpdump results stand for. -> -> Ralph -> -> > -> > -> > -> > -> -> > -> Hi, -> > -> -> > -> I have the shown (end of this post) net work configuration. -> > -> -> > -> In a "few" words: My Debian Sarge server is connected to a -> D-Link ADSL -> > -> Router (DSL-562T). DMZ is enabled for the Debian Sarge IP -> on the Router. -> > -> -> > -> My Linux server has two NIC's. -> > -> ethlan = internal Net -> > -> ethdsl = external -> D-Link -> > -> -> > -> My Linux server is configured to make NAT via iptables. -> > -> -> > -> Current state - what's working: -> > -> - Access from internal LAN to Internet is working (http, -> https, ftp, etc) -> > -> - Access inside the LAN is working -> > -> - Access inside the LAN to the linux server is working (http, https, -> > -> IMAP and SSH) -> > -> - Access from outside the LAN (from internet) to the Linux server is -> > -> working for https, IMAP and SSH -> > -> -> > -> ***BUT***: -> > -> Same Problem simular for SSH, https and IMAP: -> > -> On an internet browser inside the lan I can't access the -> webserver on -> > -> the Linux Server when I enter the external URL of the Linux server -> > -> (dynDNS domain name). -> > -> The https-page won't be opened. A simple ping to the linux -> server with -> > -> the same dynDSN domain name works. Trying to enter the -> external IP of -> > -> the linux server in the browser also won't work. -> > -> The page won't be opened in the browser. -> > -> -> > -> Die Seite wird im Browser dann nicht geöffnet. -> > -> Via telnet auf https ider ssh oder IMAP wird ebenso keine Verbindung -> > -> aufgebaut, wenn ich als Ziel den dynDSN Domainnamen angebe. -> > -> Wie gesagt, gebe ich statt des dynDNS Domainnamens den lokalen Namen -> > -> oder die lokale IP ein, dann geht es. -> > -> -> > -> iptables schould log dropped pakets. But there aren't any -> > -> dropped packets. -> > -> Ifconfig also does not show any errors (dropped packets) -> for ethlan / -> > -> ethdsl. -> > -> -> > -> So I've tried to understand what tcpdumd shows for port 443. But I'm -> > -> bound to say that I'm absolutety not firm with tcpdump. -> > -> Here's what tcpdump shows: -> > -> -> > -> -> > -> tcpdump for port 443: -> > -> Not working access from inside the lan to the servers -> external Name / -> > -> the servers external IP: -> > -> => no connection -> > -> -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win -> > -> 65535 -> > -> 18:43:41.477631 IP lp-java.linkpool.3491 > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win -> > -> 65535 -> > -> 18:43:41.479358 IP p54BE15A1.dip0.t-ipconnect.de.https > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1859848765 win 0 -> > -> 18:43:41.967525 IP lp-java.linkpool.3491 > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win -> > -> 65535 -> > -> 18:43:41.969239 IP p54BE15A1.dip0.t-ipconnect.de.https > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 -> > -> 18:43:42.468301 IP lp-java.linkpool.3491 > -> > -> p54BE15A1.dip0.t-ipconnect.de.https: S 1859848764:1859848764(0) win -> > -> 65535 -> > -> 18:43:42.470116 IP p54BE15A1.dip0.t-ipconnect.de.https > -> > -> lp-java.linkpool.3491: R 0:0(0) ack 1 win 0 -> > -> -> > -> -> > -> tcpdump for port 443: -> > -> WORKING access from inside the lan to the servers INTERNAL -> Name / the -> > -> servers INTERNAL IP: -> > -> => Successful connection -> > -> -> > -> 18:45:38.773997 IP lp-java.linkpool.3492 > -> lp-komodo.LINKPOOL.https: S -> > -> 1505679381:1505679381(0) win 65535 -> > -> 18:45:38.774478 IP lp-komodo.LINKPOOL.https > -> lp-java.linkpool.3492: S -> > -> 189223170:189223170(0) ack 1505679382 win 5840 1460,nop,nop,sackOK> -> > -> 18:45:38.774062 IP lp-java.linkpool.3492 > -> lp-komodo.LINKPOOL.https: . -> > -> ack 1 win 65535 -> > -> 18:45:38.774608 IP lp-java.linkpool.3492 > -> lp-komodo.LINKPOOL.https: P -> > -> 1:106(105) ack 1 win 65535 -> > -> 18:45:38.774660 IP lp-komodo.LINKPOOL.https > -> lp-java.linkpool.3492: . -> > -> ack 106 win 5840 -> > -> 18:45:38.813185 IP lp-komodo.LINKPOOL.https > -> lp-java.linkpool.3492: P -> > -> 1:1055(1054) ack 106 win 5840 -> > -> 18:45:38.927284 IP lp-java.linkpool.3492 > -> lp-komodo.LINKPOOL.https: . -> > -> ack 1055 win 64481 -> > -> -> > -> Is there any one who can interpret those results? Are these enough -> > -> informations to see where the problem may ve? -> > -> Wrong Routing? Linux server iptables problem? Problem -> inside the D-Link -> > -> Router? -> > ->