pptp tunnel mss clamping

John Horne john.horne at plymouth.ac.uk
Thu Jul 17 17:43:28 UTC 2008 

On Sun, 2008-06-29 at 21:41 +0100, William Murray wrote:
> Hi all,
>         I am having big trouble with a pptp tunnel from a home network to
> work. I need to prevent large frames coming back through the tunnel.
> For years I used this in the firewall/nat iptables setup:
> 
> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1100
> 
> but something, (upgrading F7 to F9, I think) has stopped it working. I 
> have been trying lots of examples of the WWW and have no luck. Does anyone know what
> changed - or even which table I should be applying this to?
> 
> Also, it is hard to debug as wireshark does not receive the large frame 
> which brings down the tunnel.  Is there an easy way to generate arbitrary 
> sized frames?
> 
> Thanks for any help.
> Ps: My rules:. Rather guessed at...
> [root at base sbin]# /sbin/iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination        
> ACCEPT     all  --  anywhere             anywhere           
> ACCEPT     all  --  anywhere             anywhere           
> REJECT     udp  --  anywhere             anywhere            udp 
> dpt:bootps reject-with icmp-port-unreachable
> REJECT     udp  --  anywhere             anywhere            udp 
> dpt:domain reject-with icmp-port-unreachable
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
> DROP       tcp  --  anywhere             anywhere            tcp 
> dpts:spr-itunes:1023
> DROP       udp  --  anywhere             anywhere            udp 
> dpts:0:1023
> 
> Chain FORWARD (policy DROP)
> target     prot opt source               destination        
> DROP       all  --  anywhere             168.254.0.0/16     
> ACCEPT     all  --  168.254.0.0/16       anywhere           
> ACCEPT     all  --  anywhere             168.254.0.0/16     
> 
Your iptables output doesn't show TCPMSS at all. Using F9, I added your
command (-A FORWARD ...) to iptables and it shows:

  Chain FORWARD (policy ACCEPT)
  target     prot opt source               destination
  TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
flags:0x06/0x02 TCPMSS set 1100
  REJECT     all  --  0.0.0.0/0            0.0.0.0/0
reject-with icmp-host-prohibited

iptables version iptables-1.4.1.1-1.fc9.x86_64.

Since it doesn't appear in the iptables output is anything about it
logged in /var/log/messages?



John.

-- 
---------------------------------------------------------------
John Horne, University of Plymouth, UK  Tel: +44 (0)1752 587287
E-mail: John.Horne at plymouth.ac.uk       Fax: +44 (0)1752 587001

More information about the fedora-list mailing list