[Dnsmasq-discuss] dnsmasq + nat(solved)

richardvoigt at gmail.com richardvoigt at gmail.com
Mon Jan 10 19:03:39 GMT 2011


On Mon, Jan 10, 2011 at 1:01 PM, richardvoigt at gmail.com <
richardvoigt at gmail.com> wrote:

>
>
> On Mon, Jan 10, 2011 at 12:53 PM, Jan Seiffert <
> kaffeemonster at googlemail.com> wrote:
>
>> 2011/1/10 andu novac <novac.andu at gmail.com>:
>> >> You're welcome.  However you would not say "nice crystal ball" if you
>> saw
>> >> the scratch marks it leaves on the furniture ;)
>> >
>> > Furniture is replaceable, I'd say it's worth it :)
>> >
>>
>> But since your furniture may be of value...
>> Someone already solved this quite nicely, look at the iptables manpage:
>>
>
> This is fantastic if you must control stuff centrally.  But it will result
> in every outgoing packet getting fragmented.  Reducing the mtu on the client
> avoids that.
>

Oh nevermind, it affect the TCP option negotiation, so it causes the client
to send smaller packets.  So it is a general solution for TCP (and only
TCP).  For UDP, the mtu still needs to be reduced at the client.


>
>
>>
>> TCPMSS
>>       This target allows to alter the MSS value of TCP SYN packets,
>> to control the maximum size for that connection (usually  lim‐
>>       iting  it  to your outgoing interface's MTU minus 40 for IPv4
>> or 60 for IPv6, respectively).  Of course, it can only be used
>>       in conjunction with -p tcp.  It is only valid in the mangle table.
>>       This target is used to overcome criminally braindead ISPs or
>> servers which block  "ICMP  Fragmentation  Needed"  or  "ICMPv6
>>       Packet  Too  Big" packets.  The symptoms of this problem are
>> that everything works fine from your Linux firewall/router, but
>>       machines behind it can never exchange large packets:
>>        1) Web browsers connect, then hang with no data received.
>>        2) Small mail works fine, but large emails hang.
>>        3) ssh works fine, but scp hangs after initial handshaking.
>>       Workaround: activate this option and add a rule to your
>> firewall configuration like:
>>
>>               iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN
>>                           -j TCPMSS --clamp-mss-to-pmtu
>>
>>       --set-mss value
>>              Explicitly sets MSS option to specified value. If the
>> MSS of the packet is already lower than value, it will  not  be
>>              increased (from Linux 2.6.25 onwards) to avoid more
>> problems with hosts relying on a proper MSS.
>>
>>       --clamp-mss-to-pmtu
>>              Automatically  clamp  MSS  value  to  (path_MTU - 40 for
>> IPv4; -60 for IPv6).  This may not function as desired where
>>              asymmetric routes with differing path MTU exist — the
>> kernel uses the path MTU which it would  use  to  send  packets
>>              from  itself  to the source and destination IP
>> addresses. Prior to Linux 2.6.25, only the path MTU to the destination
>>              IP address was considered by this option; subsequent
>> kernels also consider the path MTU to the source IP address.
>>
>>       These options are mutually exclusive
>>
>>
>> Greetings
>> Jan
>>
>> --
>> Murphy's Law of Combat
>> Rule #3: "Never forget that your weapon was manufactured by the
>> lowest bidder"
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20110110/fcfb6cb9/attachment.htm 


More information about the Dnsmasq-discuss mailing list