From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jonathan Kamens Date: Wed, 04 Jun 2003 10:36:50 +0000 Subject: Re: [jik@kamens.brookline.ma.us: [LARTC] MSS clamping doesn't work with masquerading through VPN?] Message-Id: List-Id: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org > From: "Peter E. Fry" > Date: Tue, 03 Jun 2003 22:33:08 -0500 > > In that case I'll take a wild stab. I'd guess that the traffic > passing through the clamper is not TCP at that point -- it's either > UDP or ESP, and therefore unaffected by TCP MSS clamping. Use > IPTables to log the packets passing to your remote, and see what they > are. Your guess about the cause of the problem was wrong, but your suggestion for debugging it helped me find the solution! I was specifying the MSS clamping with "-A FORWARD", but apparently the packets in question were never going through the FORWARD chain because they were being NATed. So I added a rule to my nat table, and now the MTU clamping works. In other words, in addition to this: iptables -t filter -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu I now have this as well: iptables -t nat -A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu I guess the problem I had is what comes from trying to apply a cookbook without fully understanding it. Question: Is it worth mentioning this in the LARTC guide in the section that talks about MSS clamping, so that other naifs like me can avoid this problem? Thanks, Jonathan Kamens _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/