A few websites are not reachable using Linux gateway

Question

We have a LAN and a Linux Box is used as an Internet gateway. On this gateway, we have installed intranet mail server (sendmail), fetchmail, proxy and DNS. A leased line is connected to this gateway and static IP is configured on this box.

For theblast 10-15 days, it has been noticed that a few of the websites are not working at all. If I configure this same connection and IP to a standalone Windows PC, all these websites can be accessed without any problem.

I can not browse a few sites and cannot ping them, but I can resolve addresses using nslookup.

My LAN configuration is as follows:

ifconfig:

enp2s0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet 192.168.1.41  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::52e5:49ff:fe1b:daa8  prefixlen 64  scopeid 0x20<link>
        ether 00:00:00:00:00:00  txqueuelen 1000  (Ethernet)
        RX packets 67331121  bytes 8458827280 (7.8 GiB)
        RX errors 0  dropped 2138  overruns 0  frame 0
        TX packets 66307928  bytes 58607952676 (54.5 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 1  collisions 0

enp4s1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet XX.XXX.XXXX.XX  netmask 255.0.0.0  broadcast 49.255.255.255
        ether 00:00:00:00:00:00  txqueuelen 1000  (Ethernet)
        RX packets 66015747  bytes 58276418282 (54.2 GiB)
        RX errors 0  dropped 100  overruns 0  frame 0
        TX packets 53457822  bytes 7049917031 (6.5 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

/etc/resolve.conf

nameserver 8.8.8.8
nameserver 192.168.1.41

iptables

# Generated by iptables-save v1.4.21 on Fri Aug 12 10:18:54 2016
*filter
:INPUT ACCEPT [6409479:525988637]
:FORWARD ACCEPT [26036553:16397355271]
:OUTPUT ACCEPT [6914932:970229461]
-A INPUT -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A FORWARD -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A FORWARD -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A OUTPUT -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
COMMIT
# Completed on Fri Aug 12 10:18:54 2016
# Generated by iptables-save v1.4.21 on Fri Aug 12 10:18:54 2016
*nat
:PREROUTING ACCEPT [1480942:133895346]
:INPUT ACCEPT [179896:21387703]
:OUTPUT ACCEPT [82634:5613521]
:POSTROUTING ACCEPT [231368:13257122]
-A PREROUTING -d XX.XXX.XXX.XX/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.250
-A POSTROUTING -s 192.168.1.132/32 -j MASQUERADE
-A POSTROUTING -s 192.168.1.127/32 -j MASQUERADE
-A POSTROUTING -s 192.168.1.188/32 -j MASQUERADE
-A POSTROUTING -s 192.168.1.199/32 -j MASQUERADE
-A POSTROUTING -s 192.168.1.20/32 -j MASQUERADE
-A POSTROUTING -s 192.168.1.181/32 -j MASQUERADE
-A POSTROUTING -s 192.168.1.233/32 -j MASQUERADE
-A POSTROUTING -s 192.168.1.77/32 -j MASQUERADE
-A POSTROUTING -s 192.168.1.134/32 -j MASQUERADE
-A POSTROUTING -s 192.168.1.113/32 -j MASQUERADE
-A POSTROUTING -s 192.168.1.19/32 -j MASQUERADE
-A POSTROUTING -s 192.168.1.20/32 -j MASQUERADE
-A POSTROUTING -s 192.168.1.197/32 -j MASQUERADE
-A POSTROUTING -s 192.168.1.198/32 -j MASQUERADE
-A POSTROUTING -s 192.168.1.9/32 -j MASQUERADE
-A POSTROUTING -s 192.168.1.5/32 -j MASQUERADE
-A POSTROUTING -s 192.168.1.119/32 -j MASQUERADE
-A POSTROUTING -s 192.168.1.1/32 -j MASQUERADE
-A POSTROUTING -s 192.168.1.98/32 -j MASQUERADE
-A POSTROUTING -s 192.168.1.182/32 -j MASQUERADE
-A POSTROUTING -s 192.168.1.40/32 -p tcp -m tcp --dport 21 -j MASQUERADE
-A POSTROUTING -s 192.168.1.134/32 -p tcp -m tcp --dport 21 -j MASQUERADE
-A POSTROUTING -s 192.168.1.181/32 -p tcp -m tcp --dport 21 -j MASQUERADE
-A POSTROUTING -s 192.168.1.181/32 -p tcp -m tcp --dport 21 -j MASQUERADE
-A POSTROUTING -s 192.168.1.98/32 -p tcp -m tcp --dport 21 -j MASQUERADE
-A POSTROUTING -s 192.168.1.177/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 192.168.1.89/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 192.168.1.129/32 -p tcp -m tcp --dport 21 -j MASQUERADE
-A POSTROUTING -s 192.168.1.66/32 -j MASQUERADE
-A POSTROUTING -s 192.168.1.250/32 -j MASQUERADE
COMMIT
# Completed on Fri Aug 12 10:18:54 2016
# Generated by iptables-save v1.4.21 on Fri Aug 12 10:18:54 2016
*mangle
:PREROUTING ACCEPT [33387672:17017857834]
:INPUT ACCEPT [6409479:525988637]
:FORWARD ACCEPT [26036554:16397355355]
:OUTPUT ACCEPT [6914932:970229461]
:POSTROUTING ACCEPT [32955572:17367734827]
COMMIT
# Completed on Fri Aug 12 10:18:54 2016

How should I find what is blocking these connections? What else should I check in the Linux box? Can somebody give a hint to resolve the issue? Anything else should I mention here? Thanks in advance.

For future readers, if the answer below doesn't apply you may want to check if your MTU is correct. I've had a similar issue with a too large MTU on a PPPoE link, and some sites worked just fine (Google) while others constantly timed out. Lowering the MTU fixed it. — André Borie, Aug 12 '16 at 17:46

score 21 · Accepted Answer · answered Aug 12 '16 at 06:27

21

The netmask is wrong on the enp4s1 (WAN) interface.

This system has configured an IP address of 49.x.x.x and a netmask of 255.0.0.0 (prefix /8). But this is not the netmask that your ISP gave you.

As a result, you will be unable to access almost all websites whose IP addresses also start with 49.

To resolve the problem, fix the netmask or prefix declaration in your network configuration. I would expect the correct prefix to be somewhere in the vicinity of 27, 28 or 29, depending on the ISP.

answered Aug 12 '16 at 06:27

Michael Hampton

244,070
43
506
972

Great, you have saved my life. I did not know about what does mean by PREFIX0 in network card configuration file. This line was commented by me unknowingly. After reading your answer I tried to change NETMASK with 255.255.255.0 in config. I could not see change with NETMASK=255.255.255.0 line I had to uncomment PREFIX0=24 line. I am doing this in CENT OS 7, Can we set NETMASK with NETMASK setting in CENT OS 7? Do I need to know NETMASK setting of service provider if PREFIX0 setting works for me? – Silkograph Aug 12 '16 at 11:32
1

You really should use the correct netmask assigned by your ISP, otherwise you're just shrinking the problem or overcorrecting. You could try temporarily using DHCP to see if it automatically assigns an address and netmask to the WAN interface, and using those numbers, but there's no guarantee that there is a DHCP server. – GuitarPicker Aug 12 '16 at 15:12
@Silkograph You can set either `NETMASK` or `PREFIX` in `/etc/sysconfig/network-scripts/ifcfg-enp4s1`. Though using `PREFIX` is preferred. Your ISP should have given you the correct prefix to use. If you use the wrong prefix/netmask, there will simply be a smaller number of websites you can't access. – Michael Hampton Aug 12 '16 at 15:29

A few websites are not reachable using Linux gateway

1 Answers1

Linked