You are not logged in.
I've recently repurposed an old computer to run Arch as a router by following this guide. I have two NICs on this computer, one connected to the modem, and one connected to a switch which also provides wifi. The problem is that certain services simply can't be used by the devices connected on the switch, be it over wifi or ethernet. For instance, from my android phone, I can't send or receive messages on Kik (I'm not sure how Kik delivers messages though), and on my desktop computer (connected by ethernet) I can't visit Stack Overflow or http://archlinux.org, but I have no problem using Google, Yahoo, Facebook, or Github, and my phone has no trouble going on Stack Overflow.
In order to post this message I've had to set up a little proxy with ssh via the router, which suggests that the connections aren't being blocked by the ISP.
Here's the output of iptables -L -n -v:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- enp0s4 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
1435 93902 ACCEPT udp -- enp0s4 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- enp0s4 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
6 1968 ACCEPT udp -- enp0s4 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
45359 31M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 41 -- * * 0.0.0.0/0 0.0.0.0/0
95 3920 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
151 21384 UDP udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
134 6536 TCP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 ctstate NEW
151 21384 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
34 1748 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1533K 1215M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1971 192K fw-interfaces all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 fw-open all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable
Chain OUTPUT (policy ACCEPT 49839 packets, 32M bytes)
pkts bytes target prot opt in out source destination
Chain TCP (1 references)
pkts bytes target prot opt in out source destination
100 4788 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain UDP (1 references)
pkts bytes target prot opt in out source destination
Chain fw-interfaces (1 references)
pkts bytes target prot opt in out source destination
1971 192K ACCEPT all -- enp0s4 * 0.0.0.0/0 0.0.0.0/0
Chain fw-open (1 references)
pkts bytes target prot opt in out source destinationenp0s4 is the NIC facing the switch.
And here's the same command, but for the NAT table:
Chain PREROUTING (policy ACCEPT 2528 packets, 204K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 934 packets, 59267 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1976 packets, 132K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2011 packets, 133K bytes)
pkts bytes target prot opt in out source destination
1382 120K MASQUERADE all -- * ppp0 10.0.0.0/24 0.0.0.0/0I've only just started learning about iptables, so it very well could be a problem with the above configuration, but the it seems to me that the symptoms of the problem can't be explained by a misconfiguration in the iptables. If the tables were misconfigured, wouldn't pretty much all traffic fail?
And it turns out that it's not just a question of whether the device is connected by wifi or by ethernet: I've tried using a laptop wirelessly and it is unable to connect to Stack Overflow, but it is able to connect to Google. Weirder still is that it's not just a matter of "being able to connect"... If I run
telnet stackoverflow.com 80the connection succeeds, and if I type a bad HTTP request, e.g. "hi", I do get an HTTP error 400 page in return. if I run
wget stackoverflow.comthough, it just hangs on
HTTP request send, awaiting response...Any advice on how to proceed in tracking down the source of this problem is appreciated!
Thanks
Last edited by tsani (2014-08-18 04:54:15)
Offline
What kind of internet connection are you provided with through the modem?.
ADSL?, Cable?
ppp0 kind of makes me feel its either ADSL or Cable using PPPoE to deliver connectivity wholesale over another providers network.
So there could be MTU or MSS issues that needs fixing. By either lowering the MTU or clamping the MSS.
Also i see you got iptables for UDP and TCP pointing their targets at a UDP or TCP chain?.
How does those UDP and TCP chains look like?. Or is it a typo or argument misshap with the -j *TARGET* part of those?.
Last edited by revellion (2014-08-18 06:44:25)
Hurricane Electric Certified IPv6 Sage
CPU: Core i7-2600 @ 4.0Ghz | RAM: 16GB (4x4GB) | GFX: AMD Radeon R9 290 4096MB VRAM | HDD: 1x 120GB SATA3 Corsair SSD (~500MB/s RW), 1x SATA2 250GB, 1x SATA2 320GB, 1x 180GB SATA3 Intel SSD
*EDIT* Replaced Nvidia GTX 570 for a AMD Radeon R9 290, and added an extra SSD 180GB
Offline
The modem provides VDSL, and it's using PPPoE passthrough to let the router initiate the connection. I can't put it in a true bridge mode as those features are removed from the firmware by my ISP. The modem is a Sagemcom F@st 2864.
I set up the TCP and UDP to allow connections on certain ports to be accepted by the router itself. I should probably move those rules from the INPUT chain concerning points 53 and 67 into the TCP and UDP chains. The contents of the TCP and UDP chains is shown in the first code block; they're pretty much empty except for a rule in the TCP chain to allow connections on port 22 coming from the internal network.
I tried lowering the MTU to some arbitrarily lower value with
ip link set mtu 800 dev ppp0but it doesn't seem to make a difference: I still can't access most sites. The MTU prior to me changing it was 1492. Back when the modem was also serving as a router, its MTU was set to 1492 as well.
Offline
Could it be that it has to do with the size of the pages?
I've run wget through a proxy on some test web sites, and checked the size of the downloaded pages with du:
$ du -h google.html stackoverflow.html facebook.html gmail.html
20K google.html
224K stackoverflow.html
24K facebook.html
4.0K gmail.htmlOf the above, only stackoverflow fails to load without the proxy. Really, it seems that the size of the downloaded page is relevant, but how can I resolve this in the router? What kind of traffic accounting tools can I use to verify that this is really the problem?
Edit: scratch that. I can load the main page of English Wikipedia without the proxy, and that's 72Kb, whereas I can't load archlinux.org, which is 36Kb.
Last edited by tsani (2014-08-18 23:52:32)
Offline
reveillon, you were right about the MTU, clamping was needed. I thought that you just meant lowering the MTU, since I didn't know that MSS clamping was a thing. Asking around in IRC provided me with this link:
https://wiki.archlinux.org/index.php/pp … n.27t_work.
which describes how to get MSS clamping to work.
Offline