Linux firewall problem - MTU

L

LCE

Active Member
Joined
Feb 23, 2005
Messages
46
Reaction score
0
System: Linux firewall with IPTables and masquerading on Fedora Core 3 with iBurst Ethernet modem.

Problem: Web browsing is slow yet file downloading is fine most of the times.

I am sure most Linux administrators know about this but this message is for people like me that pulled their hair out for 5 hours :confused: to fix a little problem with one single command. :mad:

I tested my modem on windows 2k to get it going. My next step was to implement it on Linux. I used Fedora Core 3 with the PPPoE. I implemented my firewall script that I use on Telkom ADSL firewall boxes. The script is a small firewall with ip masq for distribution. The Internet was up on my local network but some sites are just slow. I tested the modem again and concluded that it was my firewall box.

I used ping, traceroute and ethereal and they showed that now and again funny stuff happens. This was all due to the MTU and MSS that were not right. There are different methods to fix it but the method that works best form and the speed is 100%, was to add an iptables command.

COMMAND:
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

More information is available on the Linux IP MASQUARADE HOWTO section 7.15 MTU.

If the method of changing the MTU was used, the change needs to happen on every single PC. With the iptables, only the server is changed.
 
The easiest way to solve any browsing issues is to use a proxy like squid. I use squid on my linux box at home and a lot of the DNS issues etc are solved with a proxy. Plus the web cache and being permanently connected speeds things up.
 
LCE -
I read somewhere on fedorafaq.com about some NAT features being disabled out of the box by fedora - check up on this if you want.

also, why use FC3 where you can use ipcop, and all the config and optimization is done for you + a nice GUI...
 
LCE said:
COMMAND:
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

More information is available on the Linux IP MASQUARADE HOWTO section 7.15 MTU.
Click to expand...

why don't you use shorewall, which is an interface to iptables, this is MUST easier since it's a boolean option in a config file.
 
Crash, I'm not sure how a proxy solves your DNS issues? The two are not related and squid also depends (like any other network app) on a reliable DNS server.
 
koffiejunkie said:
Crash, I'm not sure how a proxy solves your DNS issues? The two are not related and squid also depends (like any other network app) on a reliable DNS server.
Click to expand...


If you have DNS issues on a firewall make sure that port 53 is open for UDP as well as TCP. You will probably find you are blocking the UDP traffic that you need.
 
koffiejunkie said:
Crash, I'm not sure how a proxy solves your DNS issues? The two are not related and squid also depends (like any other network app) on a reliable DNS server.
Click to expand...
I believe the problem NATting related issues rather than an actual firewall (open port etc..) issue. The problem only effects certain sites. But when going via a proxy on the firewall the issues are resolved.
 
DFantom said:
I believe the problem NATting related issues rather than an actual firewall (open port etc..) issue. The problem only effects certain sites. But when going via a proxy on the firewall the issues are resolved.
Click to expand...
On teh machine that connects through the firewall , have you put in the actual DNS entries there ? Primary as well as secondary
 
From Howto:

From Howto:

With modern 2.4.x Linux systems, most users point their finger at the adminstrators of these remote broken sites (typically SSL-encrypted WWW sites, etc.) or your MASQ server's upstream router run by your ISP. The main though it that these machines are either filtering or not properly responding to SOME or ALL FORMS of ICMP packets (specifically ICMP Code 3 Type 4 - Fragmentation Needed) messages due to a fray of misplaced security paranoia.

What does that all mean? Basically, say your machine is connected to the Internet with a MTU of 1492 bytes (Maximum Transmission Unit -- the maximum packet size your computer can transmit) which is common for PPPoE users. At the same time, the remote WWW/FTP site is connected to the Internet at a MTU of 1500 bytes. The way that TCP/IP works is that when a TCP connection is being negotiated for your HTTP / FTP connection, the remote side will try to verify that a 1500 byte packet can reach your computer via the initial TCP "SYN" packet.

Since the packet is too big for your connection, your upstream router (run by your ISP) will send a ICMP 3:4 (fragmentation needed) packet back to the remote WWW / FTP server. Within this packet is a recommended smaller MTU size to retry with. The problem is that either your local upstream router, some router between you and the remote server, or the remote HTTP / FTP server is either misconfigured or has a firewall in front of it that is BLOCKing these ICMP packets.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X