-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Salut Marc,
thanX a lot. Your soloution seems to work for me!!!! Ok, I did not test it
very extensiv... I hope, that it is ok for you, that I published this
soloution on my web-page: www.hgfelger.de/mss/mss.html
On Thu, 7 Sep 2000, Marc Boucher wrote:
> Earlier I wrote:
> >
> > As Jamal says, mssclampfw can do the trick but since you are already
> > using iptables installed I would recommend its TCPMSS match&target
> > modules instead. These are in the tcp-MSS patch which can be found under
> > netfilter/userspace/patch-o-matic/ (in the CVS repository, or next
> > upcoming iptables release > 1.1.1). Use the ./runme script in that same
> > directory to apply it, then recompile iptables and reconfigure/rebuild
> > your kernel with CONFIG_IP_NF_MATCH_TCPMSS and
> > CONFIG_IP_NF_TARGET_TCPMSS enabled.
> >
> > Then you need a rule like:
> >
> > iptables -t nat -A POSTROUTING -o pppoe_interface \
> > -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss mtuofpppoeintf-40+1: \
> > -j TCPMSS --set-mss mtuofpppoeintf-40
> >
> > so for example if the outgoing PPPoE interface is ppp0 with an mtu of
> > 1492, you would have:
> >
> > iptables -t nat -A POSTROUTING -o ppp0 \
> > -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1453: \
> > -j TCPMSS --set-mss 1452
> >
> > Replacing "-t nat -A POSTROUTING" with "-A FORWARD" should also work.
>
> Actually it will work better with "-A FORWARD", since the nat table
> apparently doesn't "see" SYN ACK packets, whose MSS also needs to be
> adjusted in the case of incoming connections relayed to hosts behind the
> firewall with DNAT..
>
> Marc
- --
1024D/339FD693 Hartwig Felger <hgfelger@xxxxxxxxxxx>
Key fingerprint = FB2F 3EE9 345A D55B 6FF2 0EC1 F5B0 684F 339F D693
For the pulic keys, please visit my page.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE5vB+z9bBoTzOf1pMRAhgeAJwIIiW27gFaY6s1r0BfjcpD7zzWbwCgnKr6
8loDugHm7F7s/+k7uLC08ZI=
=nMdS
-----END PGP SIGNATURE-----
|