[plug] users cannot access internet

James Elliott James.Elliott at wn.com.au
Mon May 12 12:00:28 WST 2003 

I had a similar problem using a gateway (good LAN connection but no
Internet) and fixed it by changing the Maximum Transmission Unit packet
size.  Microsoft have a large default packet size which dial-up modems and
Telstra don't particularly like (the default packet size is fine for
Ethernet LANS and broadband connections like ADSL)

The fact that you cannot ping past the modem is a worry - usually, even if
the MTU is too big you can still ping your ISP.

I know how to alter the MTU in Windoze:
http://www.winguides.com/registry/display.php/30/
but not in Linux, if, indeed, MTU exists in Linux.

Regards,  James Elliott

----- Original Message ----- 
From: "Craig Ringer" <craig at postnewspapers.com.au>
To: <plug at plug.linux.org.au>
Sent: Friday, May 09, 2003 11:43 PM
Subject: Re: [plug] users cannot access internet


> Jon Miller wrote:
> > Setup a box with all the normal stuff running, postfix, named, cucipop,
etc.  Routing table looks good.  It's a dialup box, from the box that is
dialing to the isp we can access the internet no problem.  However, we
cannot ping anything pass the modem.  Can anyone point me in right
direction?
> > All users are using W2Kp workstations and have a default gateway of the
server.
>
> run:
>
> iptables -L -n -v
> iptables -L -t nat -n -v
>
> and browse the results to make sure they make sense. In particular check
> that you're using the right interfaces. Make sure you're not blocking
> ICMP - though I presume "can't ping" in this case implies "can't get dns
> replies or other traffic through either".
>
> Also, for _temporary_ _testing_ _purposes_ _only_ (for security
> reasons), try:
>
> iptables -F
> iptables -X
>
> (clears tables)
>
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
>
> (opens up defaults)
>
> iptables -L -t nat -n -v
>
> (make sure NAT table looks sensible still. Here's mine from my firewall,
> trimmed of some site-specific forwards and other rules - and mangled by
> my mailer):
>
> Chain POSTROUTING (policy ACCEPT 264K packets, 16M bytes)
>   pkts bytes target     prot opt in     out     source
> destination
> 62207 3889K MASQUERADE  all  --  *      *       192.168.0.0/24
> 0.0.0.0/0
>
>
>
> (the OUTPUT chain was empty, and the PREROUTING chain doesn't have
> anything you'll need in it, you can leave it empty too).
>
> Try adding a these rules to the top of your normal ruleset (that is,
> after running your firewall script)
>
> iptables -I INPUT 1 -i ppp0 -j log --log-prefix "[PPPIN]"
> iptables -I OUTPUT 1 -o ppp0 -j log --log-prefix "[PPPOUT]"
> iptables -I INPUT 1 -i eth0 -j log --log-prefix "[ETHIN]"
> iptables -I OUTPUT 1 -o eth0 -j log --log-prefix "[ETHOUT]"
>
> so you can see where packets are hitting iptables and what's happening.
> Come to think of it, that'd be a /lot/ easier with tcpdump (run 2
> tcpdumps on different consoles):
>
> tcpdump -i ppp0
> tcpdump -i eth0
>
> and watch.
>
> Generally with networking issues, getting enough info kind of tells you
> what the problem is. You just have to systematically troubleshoot and
> collect info 'till you figure it out.
>
> Craig
>

More information about the plug mailing list