Question

我的iptables-save看起来像这样：

# Generated by iptables-save v1.4.21 on Wed Sep 17 16:42:32 2014
*nat
:PREROUTING ACCEPT [489:32439]
:INPUT ACCEPT [459:30062]
:OUTPUT ACCEPT [569:39257]
:POSTROUTING ACCEPT [26:1755]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Wed Sep 17 16:42:32 2014
# Generated by iptables-save v1.4.21 on Wed Sep 17 16:42:32 2014
*filter
:INPUT ACCEPT [14662:3083395]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [15653:7915049]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth2 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth2 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth2 -p udp -m udp --dport 67 -j ACCEPT
-A FORWARD -i lo -o lo -j ACCEPT
-A FORWARD -i eth2 -o eth2 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth2 -o ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o ppp0 -m state --state NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Sep 17 16:42:32 2014

其他三个表格security，mangle和raw都是空的。

路由器是Ubuntu：Linux ubuntu 3.13.0-30-generic＃54-Ubuntu SMP Mon Jun 9 22:45:01 UTC 2014 x86_64 x86_64 x86_64 GNU / Linux

root@router:/# lsmod | grep table
iptable_security       12705  0 
ip6table_raw           12683  0 
ip6table_mangle        12700  0 
ip6table_filter        12815  0 
ip6_tables             27025  3 ip6table_filter,ip6table_mangle,ip6table_raw
iptable_raw            12678  0 
iptable_mangle         12695  1 
iptable_nat            13011  1 
nf_nat_ipv4            13263  1 iptable_nat
nf_nat                 21798  4 ipt_MASQUERADE,nf_nat_ipv4,xt_REDIRECT,iptable_nat
nf_conntrack           96976  6 ipt_MASQUERADE,nf_nat,nf_nat_ipv4,xt_conntrack,iptable_nat,nf_conntrack_ipv4
iptable_filter         12810  1 
ip_tables              27239  5 iptable_security,iptable_filter,iptable_mangle,iptable_nat,iptable_raw
x_tables               34059  17 iptable_security,ip6table_filter,ip6table_mangle,xt_CHECKSUM,ip_tables,xt_tcpudp,ipt_MASQUERADE,xt_owner,xt_conntrack,iptable_filter,ip6table_raw,xt_CLASSIFY,ipt_REJECT,xt_REDIRECT,iptable_mangle,ip6_tables,iptable_raw

我正在尝试从eth2上的客户端浏览互联网，但它有效，但部分可行。我可以访问谷歌搜索引擎，它的工作原理。但网络的某些部分却没有。并非谷歌的每个网站都在开放。

例如，我可以忘记www.google.com，但不能www.speedtest.net。

挂起来看起来像：

root@client:/# wget -O - www.speedtest.net
--2014-09-17 09:43:09--  http://www.speedtest.net/
Resolving www.speedtest.net (www.speedtest.net)... 93.184.219.82
Connecting to www.speedtest.net (www.speedtest.net)|93.184.219.82|:80... connected.
HTTP request sent, awaiting response... Read error (Connection timed out) in headers.
Retrying.

--2014-09-17 10:09:56--  (try: 2)  http://www.speedtest.net/
Connecting to www.speedtest.net (www.speedtest.net)|93.184.219.82|:80... connected.
HTTP request sent, awaiting response... 
...
...

但是，我可以ping www.speedtest.net：

root@client:/# ping  www.speedtest.net
PING cs62.adn.edgecastcdn.net (93.184.219.82) 56(84) bytes of data.
64 bytes from 93.184.219.82: icmp_req=1 ttl=57 time=93.0 ms
64 bytes from 93.184.219.82: icmp_req=2 ttl=57 time=93.0 ms
64 bytes from 93.184.219.82: icmp_req=3 ttl=57 time=93.3 ms
64 bytes from 93.184.219.82: icmp_req=4 ttl=57 time=93.0 ms
64 bytes from 93.184.219.82: icmp_req=5 ttl=57 time=93.1 ms

www.google.com可访问：

root@client:/# wget -O - www.google.com
--2014-09-17 09:48:05--  http://www.google.com/
Resolving www.google.com (www.google.com)... 173.194.32.18, 173.194.32.16, 173.194.32.20, ...
Connecting to www.google.com (www.google.com)|173.194.32.18|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.google.ru/?gfe_rd=cr&ei=1VgZVPTqNOfJ8ge20oCQDg [following]
--2014-09-17 09:48:05--  http://www.google.ru/?gfe_rd=cr&ei=1VgZVPTqNOfJ8ge20oCQDg
Resolving www.google.ru (www.google.ru)... 173.194.32.23, 173.194.32.15, 173.194.32.24, ...
Connecting to www.google.ru (www.google.ru)|173.194.32.23|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `STDOUT'

客户端的iptables是空的。

我哪里错了？

Answer 1

可能这是微软特有的，因为我的VPN是为这个操作系统设计的。我刚刚给iptables拉了一个命令，现在一切正常了：

iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

iptables的。 MASQUERADE不起作用？

1 个答案: