[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: need iptables rule to turn off ecn on a firewall

I have used -t nat -j MASQ quite a bit and have read ALOT on the -t mangle without gaining as much comprehension as I would like, and need.

Is the -t mangle used as a replacement for -t nat -j MASQ? in conjunction with it? ... What would need to be done to augment/replace my current rule that does iptables -t nat -A postrouting -j MASQ... ?

Thank you

Tarragon Allen wrote:
On Fri, 2 May 2003 03:23 pm, Hanasaki JiJi wrote:

The internal network has ECN on.  A few ports are NATed going out.  Is
there an iptables rule that will turn off ECN as ports are going out
through the firewall?

Haven't actually done this myself, but it's definitely possible according to the iptables man page :
This target allows to selectively work around known ECN blackholes. It can only be used in the mangle table.

Remove all ECN bits from the TCP header. Of course, it can only be used in conjunction with -p tcp.
Something like:

iptables -t mangle -I FORWARD -o $EXTERNAL_INTERFACE -p tcp --ecn-tcp-remove

(untested, but looks right to me)


= Management is doing things right; leadership is doing the     =
=       right things.    - Peter Drucker                        =
=     http://www.sun.com/service/sunps/jdc/javacenter.pdf       =
=  www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone  =

Reply to: