[Fwbuilder-discussion] Clamp MSS to MTU
Brought to you by:
mikehorn
Menu
▾
▴
[Fwbuilder-discussion] Clamp MSS to MTU
|
From: Nicolás L. <nic...@gm...> - 2008-04-11 20:09:17
|
Hello Vadim
I think Ive found a little mistake in the order rules are placed when
using the options Accept ESTABLISHED and RELATED packets before the first
rule _and_ Clamp MSS to MTU.
When using those options, the following rules are placed in this order:
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
In 99% of the cases this rules order will not be of any trouble but, for
packets going through the _forward_ chain (ie. nated and/or routed) which
has a _RELATED_ connection (ie. an ftp file transfer session) the 4th rule
will never apply so the tcp SYN or SYN/ACK packet will go out with the wrong
MSS value causing the connection to freeze.
To resolve this there are a couple of workarounds or corrections to be
made:
1 When the option Clamp MSS to MTU is enabled, then place
the 4th rule _always_ before the 3th one.
2 If you dont want to change the order rules are placed, then
you can write it $IPTABLES t mangle -A POSTROUTING -p tcp -m tcp
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Hope Ive been clear enough.
Regards,
Nicolas.
|
