Re: [Fwbuilder-discussion] Clamp MSS to MTU
Brought to you by:
mikehorn
Menu
▾
▴
Re: [Fwbuilder-discussion] Clamp MSS to MTU
|
From: Nicole H. <nic...@gm...> - 2008-06-10 10:54:22
|
Hi, how can I add this rule in fwbuilder? iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu Do I have to make a custom service? Thanks! Nicole Nicolás López schrieb: > > Hello Vadim > > I think I’ve found a little mistake in the order rules are placed when > using the options “Accept ESTABLISHED and RELATED packets before the > first rule” _/and/_ “Clamp MSS to MTU”. > > When using those options, the following rules are placed in this order: > > $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > $IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS > --clamp-mss-to-pmtu > > In 99% of the cases this rules order will not be of any trouble but, > for packets going through the _/forward/_ chain (ie. nated and/or > routed) which has a _/RELATED/_ connection (ie. an ftp file transfer > session) the 4th^ rule will never apply so the tcp SYN or SYN/ACK > packet will go out with the wrong MSS value causing the connection to > freeze. > > To resolve this there are a couple of workarounds or corrections to be > made: > > 1 – When the option “Clamp MSS to MTU” is enabled, then place the 4th > rule _/always/_ before the 3th one. > > 2 – If you don’t want to change the order rules are placed, then you > can write it “$IPTABLES –t mangle -A POSTROUTING -p tcp -m tcp > --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu” > > Hope I’ve been clear enough. > > Regards, > > Nicolas. > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save $100. > Use priority code J8TL2D2. > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > ------------------------------------------------------------------------ > > _______________________________________________ > Fwbuilder-discussion mailing list > Fwb...@li... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion > |
