On Sun, 2008-06-29 at 21:41 +0100, William Murray wrote:
> Hi all,
> I am having big trouble with a pptp tunnel from a home network to
> work. I need to prevent large frames coming back through the tunnel.
> For years I used this in the firewall/nat iptables setup:
>
> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1100
>
> but something, (upgrading F7 to F9, I think) has stopped it working. I
> have been trying lots of examples of the WWW and have no luck. Does anyone
> know what
> changed - or even which table I should be applying this to?
>
> Also, it is hard to debug as wireshark does not receive the large frame
> which brings down the tunnel. Is there an easy way to generate arbitrary
> sized frames?
>
> Thanks for any help.
> Ps: My rules:. Rather guessed at...
> [EMAIL PROTECTED] sbin]# /sbin/iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> REJECT udp -- anywhere anywhereudp
> dpt:bootps reject-with icmp-port-unreachable
> REJECT udp -- anywhere anywhereudp
> dpt:domain reject-with icmp-port-unreachable
> ACCEPT tcp -- anywhere anywheretcp dpt:ssh
> DROP tcp -- anywhere anywheretcp
> dpts:spr-itunes:1023
> DROP udp -- anywhere anywhereudp
> dpts:0:1023
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> DROP all -- anywhere 168.254.0.0/16
> ACCEPT all -- 168.254.0.0/16 anywhere
> ACCEPT all -- anywhere 168.254.0.0/16
>
Your iptables output doesn't show TCPMSS at all. Using F9, I added your
command (-A FORWARD ...) to iptables and it shows:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- 0.0.0.0/00.0.0.0/0 tcp
flags:0x06/0x02 TCPMSS set 1100
REJECT all -- 0.0.0.0/00.0.0.0/0
reject-with icmp-host-prohibited
iptables version iptables-1.4.1.1-1.fc9.x86_64.
Since it doesn't appear in the iptables output is anything about it
logged in /var/log/messages?
John.
--
---
John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287
E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 587001
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list