Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora User (http://www.linux-archive.org/fedora-user/)
-   -   pptp tunnel mss clamping (http://www.linux-archive.org/fedora-user/115790-pptp-tunnel-mss-clamping.html)

William Murray 06-29-2008 08:41 PM

pptp tunnel mss clamping
 
Hi all,
I am having big trouble with a pptp tunnel from a home network to
work. I need to prevent large frames coming back through the tunnel.
For years I used this in the firewall/nat iptables setup:

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1100

but something, (upgrading F7 to F9, I think) has stopped it working. I
have been

trying lots of examples of the WWW and have no luck. Does anyone know what
changed - or even which table I should be applying this to?

Also, it is hard to debug as wireshark does not receive the large frame
which
brings down the tunnel. Is there an easy way to generate arbitrary
sized frames?


Thanks for any help.
Ps: My rules:. Rather guessed at...
[root@base sbin]# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT udp -- anywhere anywhere udp
dpt:bootps reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp
dpt:domain reject-with icmp-port-unreachable

ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp
dpts:spr-itunes:1023
DROP udp -- anywhere anywhere udp
dpts:0:1023


Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere 168.254.0.0/16
ACCEPT all -- 168.254.0.0/16 anywhere
ACCEPT all -- anywhere 168.254.0.0/16


Chain OUTPUT (policy ACCEPT)
target prot opt source destination


Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination




--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

John Horne 07-17-2008 05:43 PM

pptp tunnel mss clamping
 
On Sun, 2008-06-29 at 21:41 +0100, William Murray wrote:
> Hi all,
> I am having big trouble with a pptp tunnel from a home network to
> work. I need to prevent large frames coming back through the tunnel.
> For years I used this in the firewall/nat iptables setup:
>
> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1100
>
> but something, (upgrading F7 to F9, I think) has stopped it working. I
> have been trying lots of examples of the WWW and have no luck. Does anyone know what
> changed - or even which table I should be applying this to?
>
> Also, it is hard to debug as wireshark does not receive the large frame
> which brings down the tunnel. Is there an easy way to generate arbitrary
> sized frames?
>
> Thanks for any help.
> Ps: My rules:. Rather guessed at...
> [root@base sbin]# /sbin/iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> REJECT udp -- anywhere anywhere udp
> dpt:bootps reject-with icmp-port-unreachable
> REJECT udp -- anywhere anywhere udp
> dpt:domain reject-with icmp-port-unreachable
> ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
> DROP tcp -- anywhere anywhere tcp
> dpts:spr-itunes:1023
> DROP udp -- anywhere anywhere udp
> dpts:0:1023
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> DROP all -- anywhere 168.254.0.0/16
> ACCEPT all -- 168.254.0.0/16 anywhere
> ACCEPT all -- anywhere 168.254.0.0/16
>
Your iptables output doesn't show TCPMSS at all. Using F9, I added your
command (-A FORWARD ...) to iptables and it shows:

Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x02 TCPMSS set 1100
REJECT all -- 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited

iptables version iptables-1.4.1.1-1.fc9.x86_64.

Since it doesn't appear in the iptables output is anything about it
logged in /var/log/messages?



John.

--
---------------------------------------------------------------
John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287
E-mail: John.Horne@plymouth.ac.uk Fax: +44 (0)1752 587001

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list


All times are GMT. The time now is 09:32 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.