1 |
the wrote: |
2 |
> -----BEGIN PGP SIGNED MESSAGE----- |
3 |
> Hash: SHA1 |
4 |
> |
5 |
> Hello. This is the the first time I'm dealing with wifi and the second |
6 |
> time with NAT. |
7 |
> I have a server (access point) with a ppp0 interface (internet), eth0, |
8 |
> wlan0, tun0 and sit0. A dhcp server is listening on wlan0 and provides |
9 |
> local ip addresses, dns (= my isp dns) and router (= server wlan0 ip |
10 |
> address). Nat is configured on the server like this: |
11 |
> # Generated by iptables-save v1.4.20 on Fri Jan 10 21:34:26 2014 |
12 |
> *raw |
13 |
> :PREROUTING ACCEPT [1000941:974106726] |
14 |
> :OUTPUT ACCEPT [775261:165606146] |
15 |
> COMMIT |
16 |
> # Completed on Fri Jan 10 21:34:26 2014 |
17 |
> # Generated by iptables-save v1.4.20 on Fri Jan 10 21:34:26 2014 |
18 |
> *nat |
19 |
> :PREROUTING ACCEPT [888:45008] |
20 |
> :INPUT ACCEPT [63:9590] |
21 |
> :OUTPUT ACCEPT [442:27137] |
22 |
> :POSTROUTING ACCEPT [36:1728] |
23 |
> - -A POSTROUTING -o ppp0 -j MASQUERADE |
24 |
> COMMIT |
25 |
> # Completed on Fri Jan 10 21:34:26 2014 |
26 |
> # Generated by iptables-save v1.4.20 on Fri Jan 10 21:34:26 2014 |
27 |
> *mangle |
28 |
> :PREROUTING ACCEPT [1000941:974106726] |
29 |
> :INPUT ACCEPT [951658:947497602] |
30 |
> :FORWARD ACCEPT [39262:26279024] |
31 |
> :OUTPUT ACCEPT [775261:165606146] |
32 |
> :POSTROUTING ACCEPT [814621:191890787] |
33 |
> COMMIT |
34 |
> # Completed on Fri Jan 10 21:34:26 2014 |
35 |
> # Generated by iptables-save v1.4.20 on Fri Jan 10 21:34:26 2014 |
36 |
> *filter |
37 |
> :INPUT ACCEPT [371:35432] |
38 |
> :FORWARD ACCEPT [0:0] |
39 |
> :OUTPUT ACCEPT [33994:3725352] |
40 |
> - -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
41 |
> - -A FORWARD -i wlan0 -o ppp0 -j ACCEPT |
42 |
> - -A FORWARD -i ppp0 -o wlan0 -j ACCEPT |
43 |
> - -A FORWARD -i eth0 -j DROP |
44 |
> - -A FORWARD -i tun0 -j DROP |
45 |
> COMMIT |
46 |
> # Completed on Fri Jan 10 21:34:26 2014 |
47 |
> I have a client that connects to my wifi, obtains an address via dhcp |
48 |
> and ... can't acces almost all of internet sites. |
49 |
> I was able to ping any web service I could think of, but I was able to |
50 |
> use only google/youtube. I can do text/ image serches on google and |
51 |
> can open youtube(but videos aren't loading). On other services wget |
52 |
> says connection established, but it can't retrieve anything. if I ssh |
53 |
> to an external server (not my nat server) I can ls, but if I try to ls |
54 |
> - -alh I receive only a half of the files list and the terminal hangs |
55 |
> after that. |
56 |
> If I do $python -m http.server on my server I can do file transfers |
57 |
> and open html pages on my client. I have tried this |
58 |
> https://wiki.archlinux.org/index.php/Software_Access_Point#WLAN_is_very_slow |
59 |
> |
60 |
> Also I have tried to insert LOG target in FORWARD of filter. |
61 |
> It showed that I send way more pakets(>10) to a http server than I |
62 |
> receive(~2-4). |
63 |
> The client is fine and behaves normally with wifi, used it many times. |
64 |
> Thanks for your time. |
65 |
|
66 |
It's probable that you need to make use of MSS clamping. Try the |
67 |
following rule: |
68 |
|
69 |
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j |
70 |
TCPMSS --clamp-mss-to-pmtu |
71 |
|
72 |
--Kerin |