* TCM MSS control over OUTPUT chain @ 2003-05-03 2:36 Hwang, Byoung Woo 2003-05-03 5:31 ` Julian Gomez 0 siblings, 1 reply; 5+ messages in thread From: Hwang, Byoung Woo @ 2003-05-03 2:36 UTC (permalink / raw) To: netfilter Hi, all I tried to control the size of TCP MSS but failed by following command. I have a reason to contorl TCP MSS size on OUPUT chain not FORWARD chain. iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1400 I potentially conclude that the above command has no effect. How can I control the TCP MSS on OUTPUT chain? Reguards, Hwang, Byoung Woo ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: TCM MSS control over OUTPUT chain 2003-05-03 2:36 TCM MSS control over OUTPUT chain Hwang, Byoung Woo @ 2003-05-03 5:31 ` Julian Gomez 2003-05-03 11:18 ` Hwang, Byoung Woo 0 siblings, 1 reply; 5+ messages in thread From: Julian Gomez @ 2003-05-03 5:31 UTC (permalink / raw) To: netfilter On Sat, May 03, 2003 at 11:36:53AM +0900, Hwang, Byoung Woo spoke thusly: >Hi, all >I tried to control the size of TCP MSS but failed by >following command. I have a reason to contorl TCP MSS size on OUPUT >chain >not FORWARD chain. > >iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss >1400 Works fine for me, on a RH errata 2.4.18-27.8.0 kernel, all patched up. iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \ --set-mss 700 wget http://www.kernel.org/pub/linux/kernel/v2.4/linux-2.4.0.tar.gz [root@floyd sysconfig]# tcpdump -i ppp0 -n -vvv port 80 and host www.kernel.org tcpdump: listening on ppp0 13:19:38.943278 219.94.59.140.33071 > 204.152.189.116.http: S [tcp sum ok] 3437729883:3437729883(0) win 5808 <mss 700,sackOK,timestamp 919615 0,nop,wscale 0> (DF) (ttl 64, id 36964, len 60) 13:19:39.183301 204.152.189.116.http > 219.94.59.140.33071: S [tcp sum ok] 3432899063:3432899063(0) ack 3437729884 win 5792 <mss 1412,sackOK,timestamp 141630295 919615,nop,wscale 0> (DF) (ttl 53, id 0, len 60) [ snip the rest of 3-way handshake output gibberish ] 13:19:39.499854 204.152.189.116.http > 219.94.59.140.33071: . 689:1377(688) ack 142 win 5792 <nop,nop,timestamp 141630322 919639> (DF) (ttl 53, id 64152, len 740) The above is return traffic from kernel.org -> my PPPoE connection. Based on another tcpdump trace from another webserver download, I am presuming the 12 bytes difference (700-688 bytes) is actually overhead (PPPoE ?). References : Section 18.4 Maximum Segment Size; TCP/IP Illustrated, Volume 1, Richard Stevens. ^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: TCM MSS control over OUTPUT chain 2003-05-03 5:31 ` Julian Gomez @ 2003-05-03 11:18 ` Hwang, Byoung Woo 2003-05-03 11:36 ` Cedric Blancher 2003-05-03 12:07 ` leolistas 0 siblings, 2 replies; 5+ messages in thread From: Hwang, Byoung Woo @ 2003-05-03 11:18 UTC (permalink / raw) To: netfilter Hi, The machine where I want to try to control the size of TCP MSS is a gateway. eth0 is connected to the internal lan which use virtual IPs and eth1 is connected to ADSL modem and uses PPPOE. After the command "iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1400" packets from gateway itself to outside are controlled on TCP MSS size but packets from Internal LAN to Internet which are NATed by Masquerading are not controlled on TCP MSS size. I have a reason why I cannot control on FORWARD chain. Please, help Reguards, Hwang, Byoung Woo. -----Original Message----- From: netfilter-admin@lists.netfilter.org [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Julian Gomez Sent: Saturday, May 03, 2003 2:32 PM To: netfilter@lists.netfilter.org Subject: Re: TCM MSS control over OUTPUT chain On Sat, May 03, 2003 at 11:36:53AM +0900, Hwang, Byoung Woo spoke thusly: >Hi, all >I tried to control the size of TCP MSS but failed by >following command. I have a reason to contorl TCP MSS size on OUPUT >chain >not FORWARD chain. > >iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss >1400 Works fine for me, on a RH errata 2.4.18-27.8.0 kernel, all patched up. iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \ --set-mss 700 wget http://www.kernel.org/pub/linux/kernel/v2.4/linux-2.4.0.tar.gz [root@floyd sysconfig]# tcpdump -i ppp0 -n -vvv port 80 and host www.kernel.org tcpdump: listening on ppp0 13:19:38.943278 219.94.59.140.33071 > 204.152.189.116.http: S [tcp sum ok] 3437729883:3437729883(0) win 5808 <mss 700,sackOK,timestamp 919615 0,nop,wscale 0> (DF) (ttl 64, id 36964, len 60) 13:19:39.183301 204.152.189.116.http > 219.94.59.140.33071: S [tcp sum ok] 3432899063:3432899063(0) ack 3437729884 win 5792 <mss 1412,sackOK,timestamp 141630295 919615,nop,wscale 0> (DF) (ttl 53, id 0, len 60) [ snip the rest of 3-way handshake output gibberish ] 13:19:39.499854 204.152.189.116.http > 219.94.59.140.33071: . 689:1377(688) ack 142 win 5792 <nop,nop,timestamp 141630322 919639> (DF) (ttl 53, id 64152, len 740) The above is return traffic from kernel.org -> my PPPoE connection. Based on another tcpdump trace from another webserver download, I am presuming the 12 bytes difference (700-688 bytes) is actually overhead (PPPoE ?). References : Section 18.4 Maximum Segment Size; TCP/IP Illustrated, Volume 1, Richard Stevens. ^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: TCM MSS control over OUTPUT chain 2003-05-03 11:18 ` Hwang, Byoung Woo @ 2003-05-03 11:36 ` Cedric Blancher 2003-05-03 12:07 ` leolistas 1 sibling, 0 replies; 5+ messages in thread From: Cedric Blancher @ 2003-05-03 11:36 UTC (permalink / raw) To: Hwang, Byoung Woo; +Cc: netfilter Le sam 03/05/2003 à 13:18, Hwang, Byoung Woo a écrit : [...] > but > packets from Internal LAN to Internet which are NATed by Masquerading > are > not controlled on TCP MSS size. > I have a reason why I cannot control on FORWARD chain. Problem is packets forwarded by your gateway do not cross OUTPUT chain, just FORWARD chain. Maybe you can try apply this kind of rule on mangle table* POSTROUTING chain ? * Should TCPMSS target only be available in mangle table ? -- Cédric Blancher <blancher@cartel-securite.fr> IT systems and networks security - Cartel Sécurité Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE ^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: TCM MSS control over OUTPUT chain 2003-05-03 11:18 ` Hwang, Byoung Woo 2003-05-03 11:36 ` Cedric Blancher @ 2003-05-03 12:07 ` leolistas 1 sibling, 0 replies; 5+ messages in thread From: leolistas @ 2003-05-03 12:07 UTC (permalink / raw) To: netfilter, bwh Houston, we have a problem !! Forwarded packets will NEVER reach OUTPUT chain. OUTPUT is only reached by locally generated packets and INPUT will only be reached by locally destinated packets. If the machine is 'routing' that packet, no matter if it will be NATed or not, it will never reach OUTPUT. Why cant you do this in FORWARD chain ? You should notice that MSS is not a final rule, I mean, you can use this as the very first rule in FORWARD chain. MSS will be mangled and other rules WILL be parsed. TCPMSS is different from ACCEPT/DROP/REJECT which are final rules, that means, no further rule processing will occur. I've this kind of configuration running in SEVERAL machines which act as gateways for their networks and it works just fine ! iptables -A FORWARD -i eth0 -o eth1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1400 Sincerily, Leonardo Rodrigues Citando "Hwang, Byoung Woo" <bwh@net-safe.co.kr>: > Hi, > The machine where I want to try to control the size of TCP MSS > is a gateway. eth0 is connected to the internal lan which use > virtual IPs and eth1 is connected to ADSL modem and uses PPPOE. > After the command "iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j > TCPMSS --set-mss 1400" > packets from gateway itself to outside are controlled on TCP MSS size > but > packets from Internal LAN to Internet which are NATed by Masquerading > are > not controlled on TCP MSS size. > I have a reason why I cannot control on FORWARD chain. > > Please, help > > Reguards, ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2003-05-03 12:07 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2003-05-03 2:36 TCM MSS control over OUTPUT chain Hwang, Byoung Woo 2003-05-03 5:31 ` Julian Gomez 2003-05-03 11:18 ` Hwang, Byoung Woo 2003-05-03 11:36 ` Cedric Blancher 2003-05-03 12:07 ` leolistas
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.