Re: DNAT + ADSL... to reduce MTU of the network
On Tue, Jul 11, 2006 at 05:10:59PM -0300, ronan lopes wrote: > I am having problems to use DNAT in one gateway with > external interface ppp0 and internal interface eth1 Already > I placed MTU low 890 of eth0 very; but ppp0 > only connects with MTU 1492 would like to reduce this > MTU, therefore when I use the rule: You may set the mtu for ppp0 in /etc/ppp/options: ,[/etc/ppp/options]- | # Set the MTU [Maximum Transmit Unit] value to . Unless the peer | # requests a smaller value via MRU negotiation, pppd will request that | # the kernel networking code send data packets of no more than n bytes | # through the PPP network interface. | #mtu | mtu 1411 `--- -- Wer A sagt, der muss nicht B sagen. Er kann auch erkennen, dass A falsch war. Bertolt Brecht signature.asc Description: Digital signature
Re: DNAT + ADSL... to reduce MTU of the network
ronan lopes wrote: I am having problems to use DNAT in one gateway with external interface ppp0 and internal interface eth1 Already I placed MTU low 890 of eth0 very; but ppp0 only connects with MTU 1492 would like to reduce this MTU, therefore when I use the rule: iptables -A FORWARD -p tcp -m tcp --tcp-flags \ SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu and iptables -t nat -I PREROUTING -p tcp --dport 3389 \ -j DNAT --to 10.0.0.7 it does not function! - Novidade no Yahoo! Mail: receba alertas de novas mensagens no seu celular. Registre seu aparelho agora! Hi I think, if I remember you don't need to touch the MTU of eth0... only ppp0 need to be set to 1492 or less if using any type of VPN... I also think, if I remember that you don't need the iptables rule with clamp-mss-to-pmtu if you change the MTU manually ! For the DNAT, after the DNAT rule, you need to allow the traffic in the table "filter" with a rule like that: iptables -t filter -A FORWARD -m state --state NEW \ -i -o eth1 -d 1.0.0.7 --dport 3389 -j ACCEPT I'm sure about this point after a DNAT, you MUST allow the traffic in table "filter" Regards Guillaume -- Guillaume E-mail: silencer__free-4ever__net Blog: http://guillaume.free-4ever.net Site: http://www.free-4ever.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Problem DNAT using ppp0 ADSL
I am having problems to use DNAT in one gateway with external interface ppp0 and internal interface eth1 Already I placed MTU low 890 of eth0 very; but ppp0 only connects with MTU 1492 would like to reduce this MTU, therefore when I use the rule: iptables -A FORWARD -p tcp -m tcp --tcp-flags \ SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu and iptables -t nat -I PREROUTING -p tcp --dport 3389 \ -j DNAT --to 10.0.0.7 it does not function! ___ Abra sua conta no Yahoo! Mail: 1GB de espaço, alertas de e-mail no celular e anti-spam realmente eficaz. http://mail.yahoo.com.br/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
DNAT + ADSL... to reduce MTU of the network
I am having problems to use DNAT in one gateway with external interface ppp0 and internal interface eth1 Already I placed MTU low 890 of eth0 very; but ppp0 only connects with MTU 1492 would like to reduce this MTU, therefore when I use the rule: iptables -A FORWARD -p tcp -m tcp --tcp-flags \SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtuand iptables -t nat -I PREROUTING -p tcp --dport 3389 \-j DNAT --to 10.0.0.7 it does not function! Novidade no Yahoo! Mail: receba alertas de novas mensagens no seu celular. Registre seu aparelho agora!
Re: ssh connection survives reboot of stateful iptables router
Hi All! On Tue, 2006-07-04 at 09:56 +0200, martin f krafft wrote: > > Many people have rules like > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT > > I've done research and found that > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A INPUT -m conntrack --ctstate INVALID -j DROP > -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > > is the same, meaning that the INVALID state matches all non-SYN > packets at this point. For the same, you must replace the second line with this: -A INPUT -m conntrack --cstate NEW ! --syn -j DROP Or for sure, use both line. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]