[Dnsmasq-discuss] dnsmasq + nat(solved)
richardvoigt at gmail.com
richardvoigt at gmail.com
Mon Jan 10 19:03:39 GMT 2011
On Mon, Jan 10, 2011 at 1:01 PM, richardvoigt at gmail.com <
richardvoigt at gmail.com> wrote:
>
>
> On Mon, Jan 10, 2011 at 12:53 PM, Jan Seiffert <
> kaffeemonster at googlemail.com> wrote:
>
>> 2011/1/10 andu novac <novac.andu at gmail.com>:
>> >> You're welcome. However you would not say "nice crystal ball" if you
>> saw
>> >> the scratch marks it leaves on the furniture ;)
>> >
>> > Furniture is replaceable, I'd say it's worth it :)
>> >
>>
>> But since your furniture may be of value...
>> Someone already solved this quite nicely, look at the iptables manpage:
>>
>
> This is fantastic if you must control stuff centrally. But it will result
> in every outgoing packet getting fragmented. Reducing the mtu on the client
> avoids that.
>
Oh nevermind, it affect the TCP option negotiation, so it causes the client
to send smaller packets. So it is a general solution for TCP (and only
TCP). For UDP, the mtu still needs to be reduced at the client.
>
>
>>
>> TCPMSS
>> This target allows to alter the MSS value of TCP SYN packets,
>> to control the maximum size for that connection (usually lim‐
>> iting it to your outgoing interface's MTU minus 40 for IPv4
>> or 60 for IPv6, respectively). Of course, it can only be used
>> in conjunction with -p tcp. It is only valid in the mangle table.
>> This target is used to overcome criminally braindead ISPs or
>> servers which block "ICMP Fragmentation Needed" or "ICMPv6
>> Packet Too Big" packets. The symptoms of this problem are
>> that everything works fine from your Linux firewall/router, but
>> machines behind it can never exchange large packets:
>> 1) Web browsers connect, then hang with no data received.
>> 2) Small mail works fine, but large emails hang.
>> 3) ssh works fine, but scp hangs after initial handshaking.
>> Workaround: activate this option and add a rule to your
>> firewall configuration like:
>>
>> iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN
>> -j TCPMSS --clamp-mss-to-pmtu
>>
>> --set-mss value
>> Explicitly sets MSS option to specified value. If the
>> MSS of the packet is already lower than value, it will not be
>> increased (from Linux 2.6.25 onwards) to avoid more
>> problems with hosts relying on a proper MSS.
>>
>> --clamp-mss-to-pmtu
>> Automatically clamp MSS value to (path_MTU - 40 for
>> IPv4; -60 for IPv6). This may not function as desired where
>> asymmetric routes with differing path MTU exist — the
>> kernel uses the path MTU which it would use to send packets
>> from itself to the source and destination IP
>> addresses. Prior to Linux 2.6.25, only the path MTU to the destination
>> IP address was considered by this option; subsequent
>> kernels also consider the path MTU to the source IP address.
>>
>> These options are mutually exclusive
>>
>>
>> Greetings
>> Jan
>>
>> --
>> Murphy's Law of Combat
>> Rule #3: "Never forget that your weapon was manufactured by the
>> lowest bidder"
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20110110/fcfb6cb9/attachment.htm
More information about the Dnsmasq-discuss
mailing list