[Dnsmasq-discuss] dnsmasq + nat(solved)

Jan Seiffert kaffeemonster at googlemail.com
Mon Jan 10 18:53:16 GMT 2011


2011/1/10 andu novac <novac.andu at gmail.com>:
>> You're welcome.  However you would not say "nice crystal ball" if you saw
>> the scratch marks it leaves on the furniture ;)
>
> Furniture is replaceable, I'd say it's worth it :)
>

But since your furniture may be of value...
Someone already solved this quite nicely, look at the iptables manpage:

TCPMSS
       This target allows to alter the MSS value of TCP SYN packets,
to control the maximum size for that connection (usually  lim‐
       iting  it  to your outgoing interface's MTU minus 40 for IPv4
or 60 for IPv6, respectively).  Of course, it can only be used
       in conjunction with -p tcp.  It is only valid in the mangle table.
       This target is used to overcome criminally braindead ISPs or
servers which block  "ICMP  Fragmentation  Needed"  or  "ICMPv6
       Packet  Too  Big" packets.  The symptoms of this problem are
that everything works fine from your Linux firewall/router, but
       machines behind it can never exchange large packets:
        1) Web browsers connect, then hang with no data received.
        2) Small mail works fine, but large emails hang.
        3) ssh works fine, but scp hangs after initial handshaking.
       Workaround: activate this option and add a rule to your
firewall configuration like:

               iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN
                           -j TCPMSS --clamp-mss-to-pmtu

       --set-mss value
              Explicitly sets MSS option to specified value. If the
MSS of the packet is already lower than value, it will  not  be
              increased (from Linux 2.6.25 onwards) to avoid more
problems with hosts relying on a proper MSS.

       --clamp-mss-to-pmtu
              Automatically  clamp  MSS  value  to  (path_MTU - 40 for
IPv4; -60 for IPv6).  This may not function as desired where
              asymmetric routes with differing path MTU exist — the
kernel uses the path MTU which it would  use  to  send  packets
              from  itself  to the source and destination IP
addresses. Prior to Linux 2.6.25, only the path MTU to the destination
              IP address was considered by this option; subsequent
kernels also consider the path MTU to the source IP address.

       These options are mutually exclusive


Greetings
Jan

-- 
Murphy's Law of Combat
Rule #3: "Never forget that your weapon was manufactured by the
lowest bidder"



More information about the Dnsmasq-discuss mailing list