[CLUE-Tech] IPTABLES and connection stalls?

[Joe 'Zonker' Brockmeier]

On Thu, 14 Jun 2001, ian wrote:

> Clue-Techies,
> 
> I recently upgraded to RedHat 7.1 and in process upgraded from IPCHAINS to IPTABLES due to 
> "changed working environment of IPCHAINS".
> 
> First the question:
> Has anyone had any connection time out problems using IPTABLES with NAT?
> 
> Background:

*snip*

> Any suggestions?

It'd be helpful if we could see what your configuration is. Can you run
"iptables -L" or "iptables -L nat" and send the output? You might also
want to include the rules that you're loading. If you've got a script
with all of those, it'd be helpful.

I'm guessing that there's a misconfiguration somewhere. You might also
try the iptables mailing list here: http://lists.samba.org/pipermail/netfilter/

Also, if I recall correctly, there was a problem that wasn't directly
related to Netfilter/iptables - if you have enabled "TCP Explicit 
Congestion Notification support" in your kernel you may have problems
connecting to some sites. If you're finding that the problem is hard
to reproduce - ie, sometimes you can reach sites and sometimes you can't -
then this might be the issue. A lot of folks enabled this because it 
sounded like a Good Thing(TM) and then found it munged things up. Not
because the kernel was broken, but because many routers couldn't handle
it. A quick way to check:

echo 0 > /proc/sys/net/ipv4/tcp_ecn

If that solves the problem, it's probably the ECN. Otherwise please
post your config and someone should be able to tell you what's wrong
there.

Take care,

Zonker
--
Joe 'Zonker' Brockmeier -=- jbrockmeier at earthlink.net
http://www.ZonkerBooks.net/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
"Human beings, who are almost unique in having the ability 
to learn from the experience of others, are also remarkable 
for their apparent disinclination to do so." -- Douglas Adams