TCM MSS control over OUTPUT chain

TCM MSS control over OUTPUT chain

[Hwang, Byoung Woo]

Hi, all
I tried to control the size of TCP MSS but failed by
following command. I have a reason to contorl TCP MSS size on OUPUT
chain
not FORWARD chain.

iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss
1400

I potentially conclude that the above command has no effect.

How can I control the TCP MSS on OUTPUT chain?

Reguards,
Hwang, Byoung Woo

Re: TCM MSS control over OUTPUT chain

[Julian Gomez]

On Sat, May 03, 2003 at 11:36:53AM +0900, Hwang, Byoung Woo spoke thusly:
>Hi, all
>I tried to control the size of TCP MSS but failed by
>following command. I have a reason to contorl TCP MSS size on OUPUT
>chain
>not FORWARD chain.
>
>iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss
>1400

Works fine for me, on a RH errata 2.4.18-27.8.0 kernel, all patched up.

iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
--set-mss 700

wget http://www.kernel.org/pub/linux/kernel/v2.4/linux-2.4.0.tar.gz

[root@floyd sysconfig]# tcpdump -i ppp0 -n -vvv port 80 and host
www.kernel.org
tcpdump: listening on ppp0

13:19:38.943278 219.94.59.140.33071 > 204.152.189.116.http: S [tcp sum ok]
3437729883:3437729883(0) win 5808 <mss 700,sackOK,timestamp 919615
0,nop,wscale 0> (DF) (ttl 64, id 36964, len 60)

13:19:39.183301 204.152.189.116.http > 219.94.59.140.33071: S [tcp sum ok]
3432899063:3432899063(0) ack 3437729884 win 5792 <mss 1412,sackOK,timestamp
141630295 919615,nop,wscale 0> (DF) (ttl 53, id 0, len 60)

[ snip the rest of 3-way handshake output gibberish ]

13:19:39.499854 204.152.189.116.http > 219.94.59.140.33071: . 689:1377(688)
ack 142 win 5792 <nop,nop,timestamp 141630322 919639> (DF) (ttl 53, id
64152, len 740)

The above is return traffic from kernel.org -> my PPPoE connection. Based
on another tcpdump trace from another webserver download, I am presuming
the 12 bytes difference (700-688 bytes) is actually overhead (PPPoE ?).

References : Section 18.4 Maximum Segment Size; TCP/IP Illustrated, Volume
             1, Richard Stevens.

RE: TCM MSS control over OUTPUT chain

[Hwang, Byoung Woo]

Hi,
The machine where I want to try to control the size of TCP MSS
is a gateway. eth0 is connected to the internal lan which use
virtual IPs and eth1 is connected to ADSL modem and uses PPPOE.
After the command "iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j
TCPMSS --set-mss 1400"
packets from gateway itself to outside are controlled on TCP MSS size
but
packets from Internal LAN to Internet which are NATed by Masquerading
are
not controlled on TCP MSS size.
I have a reason why I cannot control on FORWARD chain.

Please, help

Reguards,

Hwang, Byoung Woo.
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Julian Gomez
Sent: Saturday, May 03, 2003 2:32 PM
To: netfilter@lists.netfilter.org
Subject: Re: TCM MSS control over OUTPUT chain

On Sat, May 03, 2003 at 11:36:53AM +0900, Hwang, Byoung Woo spoke
thusly:
>Hi, all
>I tried to control the size of TCP MSS but failed by
>following command. I have a reason to contorl TCP MSS size on OUPUT
>chain
>not FORWARD chain.
>
>iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss
>1400

Works fine for me, on a RH errata 2.4.18-27.8.0 kernel, all patched up.

iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
--set-mss 700

wget http://www.kernel.org/pub/linux/kernel/v2.4/linux-2.4.0.tar.gz

[root@floyd sysconfig]# tcpdump -i ppp0 -n -vvv port 80 and host
www.kernel.org
tcpdump: listening on ppp0

13:19:38.943278 219.94.59.140.33071 > 204.152.189.116.http: S [tcp sum
ok]
3437729883:3437729883(0) win 5808 <mss 700,sackOK,timestamp 919615
0,nop,wscale 0> (DF) (ttl 64, id 36964, len 60)

13:19:39.183301 204.152.189.116.http > 219.94.59.140.33071: S [tcp sum
ok]
3432899063:3432899063(0) ack 3437729884 win 5792 <mss
1412,sackOK,timestamp
141630295 919615,nop,wscale 0> (DF) (ttl 53, id 0, len 60)

[ snip the rest of 3-way handshake output gibberish ]

13:19:39.499854 204.152.189.116.http > 219.94.59.140.33071: .
689:1377(688)
ack 142 win 5792 <nop,nop,timestamp 141630322 919639> (DF) (ttl 53, id
64152, len 740)

The above is return traffic from kernel.org -> my PPPoE connection.
Based
on another tcpdump trace from another webserver download, I am presuming
the 12 bytes difference (700-688 bytes) is actually overhead (PPPoE ?).

References : Section 18.4 Maximum Segment Size; TCP/IP Illustrated,
Volume
             1, Richard Stevens.

RE: TCM MSS control over OUTPUT chain

[Cedric Blancher]

Le sam 03/05/2003 à 13:18, Hwang, Byoung Woo a écrit :
[...]
> but
> packets from Internal LAN to Internet which are NATed by Masquerading
> are
> not controlled on TCP MSS size.
> I have a reason why I cannot control on FORWARD chain.

Problem is packets forwarded by your gateway do not cross OUTPUT chain,
just FORWARD chain. Maybe you can try apply this kind of rule on mangle
table* POSTROUTING chain ?

* Should TCPMSS target only be available in mangle table ?

-- 
Cédric Blancher  <blancher@cartel-securite.fr>
IT systems and networks security - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE

RE: TCM MSS control over OUTPUT chain

[leolistas]

   Houston, we have a problem !! Forwarded packets will NEVER reach OUTPUT 
chain. OUTPUT is only reached by locally generated packets and INPUT will 
only be reached by locally destinated packets. If the machine is 'routing' 
that packet, no matter if it will be NATed or not, it will never reach 
OUTPUT.

   Why cant you do this in FORWARD chain ? You should notice that MSS is 
not a final rule, I mean, you can use this as the very first rule in 
FORWARD chain. MSS will be mangled and other rules WILL be parsed. TCPMSS 
is different from ACCEPT/DROP/REJECT which are final rules, that means, no 
further rule processing will occur.

   I've this kind of configuration running in SEVERAL machines which act 
as gateways for their networks and it works just fine !

iptables -A FORWARD -i eth0 -o eth1 -p tcp --tcp-flags SYN,RST SYN -j 
TCPMSS --set-mss 1400


   Sincerily,
   Leonardo Rodrigues


Citando "Hwang, Byoung Woo" <bwh@net-safe.co.kr>:

> Hi,
> The machine where I want to try to control the size of TCP MSS
> is a gateway. eth0 is connected to the internal lan which use
> virtual IPs and eth1 is connected to ADSL modem and uses PPPOE.
> After the command "iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j
> TCPMSS --set-mss 1400"
> packets from gateway itself to outside are controlled on TCP MSS size
> but
> packets from Internal LAN to Internet which are NATed by Masquerading
> are
> not controlled on TCP MSS size.
> I have a reason why I cannot control on FORWARD chain.
> 
> Please, help
> 
> Reguards,