[Dnsmasq-discuss] dnsmasq + nat(solved)
Jan Seiffert
kaffeemonster at googlemail.com
Mon Jan 10 18:53:16 GMT 2011
2011/1/10 andu novac <novac.andu at gmail.com>:
>> You're welcome. However you would not say "nice crystal ball" if you saw
>> the scratch marks it leaves on the furniture ;)
>
> Furniture is replaceable, I'd say it's worth it :)
>
But since your furniture may be of value...
Someone already solved this quite nicely, look at the iptables manpage:
TCPMSS
This target allows to alter the MSS value of TCP SYN packets,
to control the maximum size for that connection (usually lim‐
iting it to your outgoing interface's MTU minus 40 for IPv4
or 60 for IPv6, respectively). Of course, it can only be used
in conjunction with -p tcp. It is only valid in the mangle table.
This target is used to overcome criminally braindead ISPs or
servers which block "ICMP Fragmentation Needed" or "ICMPv6
Packet Too Big" packets. The symptoms of this problem are
that everything works fine from your Linux firewall/router, but
machines behind it can never exchange large packets:
1) Web browsers connect, then hang with no data received.
2) Small mail works fine, but large emails hang.
3) ssh works fine, but scp hangs after initial handshaking.
Workaround: activate this option and add a rule to your
firewall configuration like:
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN
-j TCPMSS --clamp-mss-to-pmtu
--set-mss value
Explicitly sets MSS option to specified value. If the
MSS of the packet is already lower than value, it will not be
increased (from Linux 2.6.25 onwards) to avoid more
problems with hosts relying on a proper MSS.
--clamp-mss-to-pmtu
Automatically clamp MSS value to (path_MTU - 40 for
IPv4; -60 for IPv6). This may not function as desired where
asymmetric routes with differing path MTU exist — the
kernel uses the path MTU which it would use to send packets
from itself to the source and destination IP
addresses. Prior to Linux 2.6.25, only the path MTU to the destination
IP address was considered by this option; subsequent
kernels also consider the path MTU to the source IP address.
These options are mutually exclusive
Greetings
Jan
--
Murphy's Law of Combat
Rule #3: "Never forget that your weapon was manufactured by the
lowest bidder"
More information about the Dnsmasq-discuss
mailing list