| 1 |
the wrote: |
| 2 |
> -----BEGIN PGP SIGNED MESSAGE----- |
| 3 |
> Hash: SHA1 |
| 4 |
> |
| 5 |
> Hello. This is the the first time I'm dealing with wifi and the second |
| 6 |
> time with NAT. |
| 7 |
> I have a server (access point) with a ppp0 interface (internet), eth0, |
| 8 |
> wlan0, tun0 and sit0. A dhcp server is listening on wlan0 and provides |
| 9 |
> local ip addresses, dns (= my isp dns) and router (= server wlan0 ip |
| 10 |
> address). Nat is configured on the server like this: |
| 11 |
> # Generated by iptables-save v1.4.20 on Fri Jan 10 21:34:26 2014 |
| 12 |
> *raw |
| 13 |
> :PREROUTING ACCEPT [1000941:974106726] |
| 14 |
> :OUTPUT ACCEPT [775261:165606146] |
| 15 |
> COMMIT |
| 16 |
> # Completed on Fri Jan 10 21:34:26 2014 |
| 17 |
> # Generated by iptables-save v1.4.20 on Fri Jan 10 21:34:26 2014 |
| 18 |
> *nat |
| 19 |
> :PREROUTING ACCEPT [888:45008] |
| 20 |
> :INPUT ACCEPT [63:9590] |
| 21 |
> :OUTPUT ACCEPT [442:27137] |
| 22 |
> :POSTROUTING ACCEPT [36:1728] |
| 23 |
> - -A POSTROUTING -o ppp0 -j MASQUERADE |
| 24 |
> COMMIT |
| 25 |
> # Completed on Fri Jan 10 21:34:26 2014 |
| 26 |
> # Generated by iptables-save v1.4.20 on Fri Jan 10 21:34:26 2014 |
| 27 |
> *mangle |
| 28 |
> :PREROUTING ACCEPT [1000941:974106726] |
| 29 |
> :INPUT ACCEPT [951658:947497602] |
| 30 |
> :FORWARD ACCEPT [39262:26279024] |
| 31 |
> :OUTPUT ACCEPT [775261:165606146] |
| 32 |
> :POSTROUTING ACCEPT [814621:191890787] |
| 33 |
> COMMIT |
| 34 |
> # Completed on Fri Jan 10 21:34:26 2014 |
| 35 |
> # Generated by iptables-save v1.4.20 on Fri Jan 10 21:34:26 2014 |
| 36 |
> *filter |
| 37 |
> :INPUT ACCEPT [371:35432] |
| 38 |
> :FORWARD ACCEPT [0:0] |
| 39 |
> :OUTPUT ACCEPT [33994:3725352] |
| 40 |
> - -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
| 41 |
> - -A FORWARD -i wlan0 -o ppp0 -j ACCEPT |
| 42 |
> - -A FORWARD -i ppp0 -o wlan0 -j ACCEPT |
| 43 |
> - -A FORWARD -i eth0 -j DROP |
| 44 |
> - -A FORWARD -i tun0 -j DROP |
| 45 |
> COMMIT |
| 46 |
> # Completed on Fri Jan 10 21:34:26 2014 |
| 47 |
> I have a client that connects to my wifi, obtains an address via dhcp |
| 48 |
> and ... can't acces almost all of internet sites. |
| 49 |
> I was able to ping any web service I could think of, but I was able to |
| 50 |
> use only google/youtube. I can do text/ image serches on google and |
| 51 |
> can open youtube(but videos aren't loading). On other services wget |
| 52 |
> says connection established, but it can't retrieve anything. if I ssh |
| 53 |
> to an external server (not my nat server) I can ls, but if I try to ls |
| 54 |
> - -alh I receive only a half of the files list and the terminal hangs |
| 55 |
> after that. |
| 56 |
> If I do $python -m http.server on my server I can do file transfers |
| 57 |
> and open html pages on my client. I have tried this |
| 58 |
> https://wiki.archlinux.org/index.php/Software_Access_Point#WLAN_is_very_slow |
| 59 |
> |
| 60 |
> Also I have tried to insert LOG target in FORWARD of filter. |
| 61 |
> It showed that I send way more pakets(>10) to a http server than I |
| 62 |
> receive(~2-4). |
| 63 |
> The client is fine and behaves normally with wifi, used it many times. |
| 64 |
> Thanks for your time. |
| 65 |
|
| 66 |
It's probable that you need to make use of MSS clamping. Try the |
| 67 |
following rule: |
| 68 |
|
| 69 |
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j |
| 70 |
TCPMSS --clamp-mss-to-pmtu |
| 71 |
|
| 72 |
--Kerin |
Archives