Arch Linux

slaykovsky

Member

From: Russia, Irkutsk

Registered: 2014-06-07

Posts: 3

[SOLVED] NAT problems

Hi guys!
I'm newbie in Arch (since yesterday ). I have a network problem. Some sites (and ip addresses) such http://typesafe.com is not available on my laptop and desktop which are connected to Internet through NAT. There is a PC which is staying in living room and connected to the Internet over pppoe - it's "server". There is /etc/netctl/pppoe:

Description='TTK PPPoE connection'
Interface=enp2s6
Connection=pppoe
User='secret'
Password='secret'

# Always keep a connection established
ConnectionMode='persist'

# Use default route provided by the peer (default: true)
DefaultRoute=true
# Use DNS provided by the peer (default: true)
UsePeerDNS=true

Then, /etc/netctl/bridge

/etc/iptables/iptables.rules

Description="Home Bridge connection"
Interface=br0
Connection=bridge
BindsToInterfaces=(enp1s0 wlp2s7)
IP=static

Address=('192.168.0.1/24')
DNS=('141.105.32.88' '141.105.32.89')
## Ignore (R)STP and immediately activate the bridge
SkipForwardingDelay=yes

/etc/dnsmasq.conf

port=53
log-async=5
domain-needed
interface=br0
listen-address=192.168.0.1
bind-interfaces
domain=home.local
dhcp-range=192.168.0.10,192.168.0.150,12h

/etc/resolv.conf

# Generated by resolvconf
nameserver 141.105.32.88
nameserver 141.105.32.89

/etc/hostapd/hostapd.conf

ssid=HomeGroup
wpa_passphrase=password
interface=wlp2s7
bridge=br0
auth_algs=3
channel=7
driver=nl80211
hw_mode=g
logger_stdout=-1
logger_stdout_level=2
max_num_sta=5
rsn_pairwise=CCMP
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
beacon_int=1000
dtim_period=2
max_num_sta=255
rts_threshold=2347
fragm_threshold=2346
wmm_enabled=1
wmm_ac_bk_cwmin=4
wmm_ac_bk_cwmax=10
wmm_ac_bk_aifs=7
wmm_ac_bk_txop_limit=0
wmm_ac_bk_acm=0
wmm_ac_be_aifs=3
wmm_ac_be_cwmin=4
wmm_ac_be_cwmax=10
wmm_ac_be_txop_limit=0
wmm_ac_be_acm=0
wmm_ac_vi_aifs=2
wmm_ac_vi_cwmin=3
wmm_ac_vi_cwmax=4
wmm_ac_vi_txop_limit=94
wmm_ac_vi_acm=0
wmm_ac_vo_txop_limit=47
wmm_ac_vo_acm=0
ieee80211n=1
ht_capab=[HT40+][SHORT-GI-40][TX-STBC][RX-STBC2][DSSS_CK-40]
own_ip_addr=127.0.0.1

/etc/iptables/iptables.rules

# Generated by iptables-save v1.4.21 on Sat Jun  7 18:24:09 2014
*mangle
:PREROUTING ACCEPT [1:382]
:INPUT ACCEPT [1:382]
:FORWARD ACCEPT [1:382]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [1:382]
COMMIT
# Completed on Sat Jun  7 18:24:09 2014
# Generated by iptables-save v1.4.21 on Sat Jun  7 18:24:09 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
:fw-interfaces - [0:0]
:fw-open - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j fw-interfaces
-A FORWARD -j fw-open
-A FORWARD -j REJECT --reject-with icmp-host-unreachable
-A fw-interfaces -i br0 -j ACCEPT
COMMIT
# Completed on Sat Jun  7 18:24:09 2014
# Generated by iptables-save v1.4.21 on Sat Jun  7 18:24:09 2014
*nat
:PREROUTING ACCEPT [1:382]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [1:382]
-A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
COMMIT
# Completed on Sat Jun  7 18:24:09 2014

Maybe someone can help me? On "server" it's all ok. Every ip or site working well. And DNS server works good I guess.
I don't know how I can fix it by myself. Maybe my iptables rules sucks? Maybe something different sucks ;(

If you need some logs ask me to show it, because I don't know which one you need.

P.S. Sorry for my English.

UPD. Chrome gives me this, when I trying to open site:

Unable to load the webpage because the server sent no data.
Error code: ERR_EMPTY_RESPONSE

UPD 2. With only

# Generated by iptables-save v1.4.21 on Sat Jun  7 21:35:41 2014
*nat
:PREROUTING ACCEPT [7:541]
:INPUT ACCEPT [7:541]
:OUTPUT ACCEPT [24:1306]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Sat Jun  7 21:35:41 2014
# Generated by iptables-save v1.4.21 on Sat Jun  7 21:35:41 2014
*filter
:INPUT ACCEPT [15528:21480359]
:FORWARD ACCEPT [83:4770]
:OUTPUT ACCEPT [8731:529281]
COMMIT
# Completed on Sat Jun  7 21:35:41 2014
# Generated by iptables-save v1.4.21 on Sat Jun  7 21:35:41 2014
*mangle
:PREROUTING ACCEPT [15612:21485161]
:INPUT ACCEPT [15528:21480359]
:FORWARD ACCEPT [83:4770]
:OUTPUT ACCEPT [8731:529281]
:POSTROUTING ACCEPT [8814:534051]
COMMIT
# Completed on Sat Jun  7 21:35:41 2014

in /etc/iptables/iptables.rules situation is similar.

Last edited by slaykovsky (2014-06-08 12:16:35)

ValdikSS

Member

Registered: 2011-03-30

Posts: 31

Re: [SOLVED] NAT problems

Since it's PPPoE, try to clamp MSS to PMTU:

sudo iptables -I FORWARD -i br0 -o ppp0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

And please make sure to configure firewall not to MASQUERADE traffic from enp1s0 to ppp0.
And don't forget about IPv6 (http://habrahabr.ru/post/225539/)

slaykovsky

Member

From: Russia, Irkutsk

Registered: 2014-06-07

Posts: 3

Re: [SOLVED] NAT problems

Awesome! Thank you
Solved.