Re: Change MTU for forwarded packets
Martin Schuster wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> George Borisov wrote:
>> Hello,
>>
>> Is there a way of forcing an MTU size for forwarded traffic on
>> the firewall?
>> I have tried playing with TCPMSS in iptables, but I haven't
>> managed to get it to work.
>>
> This should work automatically afaik.
> Is your firewall blocking some important ICMP messages like "fragmentation
> needed"?
> See man iptables (the section on TCPMSS)
All ICMP is allowed.
Here are TCPMSS rules:
---
$IPTABLES -t mangle -A PREROUTING -s $UK_LAN -d $SA_LAN \
-j MARK --set-mark 2
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m mark \
--mark 2 -j TCPMSS --clamp-mss-to-pmtu
---
The mark bit is there because I'm paranoid (probably without any
good reason whatsoever) that IPSec will do funny things to packet
source/destination addresses.
There are lots of packets hitting this rule, but the problem is
still there on machines that haven't had their MTU changed. :-(
The added complication is that TCPMSS needs to catch the packets
before IPSec wraps them up for transmission. I'm not sure if
those rules are doing it right.
--
George Borisov
DXSolutions Ltd
> hth,
> - --
> Martin Schuster <Martin.Schuster@centerpoint.eu.com>
> CenterPoint http://www.centerpoint.eu.com/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFE5ZZZ8/HiHhT8phIRAtUdAJ4nd/ilrpEvEcxobYJwaR93izAH6QCfWMaO
> U5+jKmFGCigCfTwrJtFvEEw=
> =D7ba
> -----END PGP SIGNATURE-----
>
Reply to: