Earlier I wrote:
>
> As Jamal says, mssclampfw can do the trick but since you are already
> using iptables installed I would recommend its TCPMSS match&target
> modules instead. These are in the tcp-MSS patch which can be found under
> netfilter/userspace/patch-o-matic/ (in the CVS repository, or next
> upcoming iptables release > 1.1.1). Use the ./runme script in that same
> directory to apply it, then recompile iptables and reconfigure/rebuild
> your kernel with CONFIG_IP_NF_MATCH_TCPMSS and
> CONFIG_IP_NF_TARGET_TCPMSS enabled.
>
> Then you need a rule like:
>
> iptables -t nat -A POSTROUTING -o pppoe_interface \
> -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss mtuofpppoeintf-40+1: \
> -j TCPMSS --set-mss mtuofpppoeintf-40
>
> so for example if the outgoing PPPoE interface is ppp0 with an mtu of
> 1492, you would have:
>
> iptables -t nat -A POSTROUTING -o ppp0 \
> -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1453: \
> -j TCPMSS --set-mss 1452
>
> Replacing "-t nat -A POSTROUTING" with "-A FORWARD" should also work.
Actually it will work better with "-A FORWARD", since the nat table
apparently doesn't "see" SYN ACK packets, whose MSS also needs to be
adjusted in the case of incoming connections relayed to hosts behind the
firewall with DNAT..
Marc
|