pptp tunnel mss clamping

[William Murray]

  Hi all,
   I am having big trouble with a pptp tunnel from a home network to
work. I need to prevent large frames coming back through the tunnel.
For years I used this in the firewall/nat iptables setup:

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1100

but something, (upgrading F7 to F9, I think) has stopped it working. I 
have been

trying lots of examples of the WWW and have no luck. Does anyone know what
changed - or even which table I should be applying this to?

Also, it is hard to debug as wireshark does not receive the large frame 
which
brings down the tunnel.  Is there an easy way to generate arbitrary 
sized frames?


Thanks for any help.
Ps: My rules:. Rather guessed at...
[EMAIL PROTECTED] sbin]# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source   destination
ACCEPT all  --  anywhere anywhere   
ACCEPT all  --  anywhere anywhere   
REJECT udp  --  anywhere anywhereudp 
dpt:bootps reject-with icmp-port-unreachable
REJECT udp  --  anywhere anywhereudp 
dpt:domain reject-with icmp-port-unreachable

ACCEPT tcp  --  anywhere anywheretcp dpt:ssh
DROP   tcp  --  anywhere anywheretcp 
dpts:spr-itunes:1023
DROP   udp  --  anywhere anywhereudp 
dpts:0:1023


Chain FORWARD (policy DROP)
target prot opt source   destination
DROP   all  --  anywhere 168.254.0.0/16 
ACCEPT all  --  168.254.0.0/16   anywhere   
ACCEPT all  --  anywhere 168.254.0.0/16 


Chain OUTPUT (policy ACCEPT)
target prot opt source   destination


Chain RH-Firewall-1-INPUT (0 references)
target prot opt source   destination




--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Re: pptp tunnel mss clamping

[John Horne]

On Sun, 2008-06-29 at 21:41 +0100, William Murray wrote:
> Hi all,
> I am having big trouble with a pptp tunnel from a home network to
> work. I need to prevent large frames coming back through the tunnel.
> For years I used this in the firewall/nat iptables setup:
> 
> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1100
> 
> but something, (upgrading F7 to F9, I think) has stopped it working. I 
> have been trying lots of examples of the WWW and have no luck. Does anyone 
> know what
> changed - or even which table I should be applying this to?
> 
> Also, it is hard to debug as wireshark does not receive the large frame 
> which brings down the tunnel.  Is there an easy way to generate arbitrary 
> sized frames?
> 
> Thanks for any help.
> Ps: My rules:. Rather guessed at...
> [EMAIL PROTECTED] sbin]# /sbin/iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source   destination
> ACCEPT all  --  anywhere anywhere   
> ACCEPT all  --  anywhere anywhere   
> REJECT udp  --  anywhere anywhereudp 
> dpt:bootps reject-with icmp-port-unreachable
> REJECT udp  --  anywhere anywhereudp 
> dpt:domain reject-with icmp-port-unreachable
> ACCEPT tcp  --  anywhere anywheretcp dpt:ssh
> DROP   tcp  --  anywhere anywheretcp 
> dpts:spr-itunes:1023
> DROP   udp  --  anywhere anywhereudp 
> dpts:0:1023
> 
> Chain FORWARD (policy DROP)
> target prot opt source   destination
> DROP   all  --  anywhere 168.254.0.0/16 
> ACCEPT all  --  168.254.0.0/16   anywhere   
> ACCEPT all  --  anywhere 168.254.0.0/16 
> 
Your iptables output doesn't show TCPMSS at all. Using F9, I added your
command (-A FORWARD ...) to iptables and it shows:

  Chain FORWARD (policy ACCEPT)
  target prot opt source   destination
  TCPMSS tcp  --  0.0.0.0/00.0.0.0/0   tcp
flags:0x06/0x02 TCPMSS set 1100
  REJECT all  --  0.0.0.0/00.0.0.0/0
reject-with icmp-host-prohibited

iptables version iptables-1.4.1.1-1.fc9.x86_64.

Since it doesn't appear in the iptables output is anything about it
logged in /var/log/messages?



John.

-- 
---
John Horne, University of Plymouth, UK  Tel: +44 (0)1752 587287
E-mail: [EMAIL PROTECTED]   Fax: +44 (0)1752 587001

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list