Re: [Fwbuilder-discussion] Clamp MSS to MTU
Brought to you by:
mikehorn
Menu
▾
▴
Re: [Fwbuilder-discussion] Clamp MSS to MTU
|
From: Nicole H. <nic...@gm...> - 2008-06-10 11:09:11
|
I found it. Nicole Hähnel schrieb: > Hi, > > how can I add this rule in fwbuilder? > iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS > --clamp-mss-to-pmtu > Do I have to make a custom service? > > Thanks! > > Nicole > > > Nicolás López schrieb: > >> Hello Vadim >> >> I think I’ve found a little mistake in the order rules are placed when >> using the options “Accept ESTABLISHED and RELATED packets before the >> first rule” _/and/_ “Clamp MSS to MTU”. >> >> When using those options, the following rules are placed in this order: >> >> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> >> $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> >> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT >> >> $IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS >> --clamp-mss-to-pmtu >> >> In 99% of the cases this rules order will not be of any trouble but, >> for packets going through the _/forward/_ chain (ie. nated and/or >> routed) which has a _/RELATED/_ connection (ie. an ftp file transfer >> session) the 4th^ rule will never apply so the tcp SYN or SYN/ACK >> packet will go out with the wrong MSS value causing the connection to >> freeze. >> >> To resolve this there are a couple of workarounds or corrections to be >> made: >> >> 1 – When the option “Clamp MSS to MTU” is enabled, then place the 4th >> rule _/always/_ before the 3th one. >> >> 2 – If you don’t want to change the order rules are placed, then you >> can write it “$IPTABLES –t mangle -A POSTROUTING -p tcp -m tcp >> --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu” >> >> Hope I’ve been clear enough. >> >> Regards, >> >> Nicolas. >> >> ------------------------------------------------------------------------ >> >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference >> Don't miss this year's exciting event. There's still time to save $100. >> Use priority code J8TL2D2. >> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Fwbuilder-discussion mailing list >> Fwb...@li... >> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >> >> > > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/index.php > _______________________________________________ > Fwbuilder-discussion mailing list > Fwb...@li... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion > > |
