Re: need iptables rule to turn off ecn on a firewall

[Hanasaki JiJi <hanasaki@hanaden.com>]

I have used -t nat -j MASQ quite a bit and have read ALOT on the -t 
mangle without gaining as much comprehension as I would like, and need.

Is the -t mangle used as a replacement for -t nat -j MASQ? in 
conjunction with it? ... What would need to be done to augment/replace 
my current rule that does iptables -t nat -A postrouting -j MASQ... ?

Thank you

Tarragon Allen wrote:
> On Fri, 2 May 2003 03:23 pm, Hanasaki JiJi wrote:
>
> > The internal network has ECN on.  A few ports are NATed going out.  Is
> > there an iptables rule that will turn off ECN as ports are going out
> > through the firewall?
>
>
> Haven't actually done this myself, but it's definitely possible according to 
> the iptables man page :
> ===
>    ECN
>        This target allows to selectively work around known ECN blackholes.  It 
> can only be used in the mangle  table.
>
>        --ecn-tcp-remove
>               Remove all ECN bits from the TCP header.  Of course, it can only 
> be used in conjunction with -p tcp.
> ===
> Something like:
>
> iptables -t mangle -I FORWARD -o $EXTERNAL_INTERFACE -p tcp --ecn-tcp-remove
>
> (untested, but looks right to me)
>
> t

--
=================================================================
= Management is doing things right; leadership is doing the     =
=       right things.    - Peter Drucker                        =
=_______________________________________________________________=
=     http://www.sun.com/service/sunps/jdc/javacenter.pdf       =
=  www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone  =
=================================================================