[Dnsmasq-discuss] dnsmasq + nat(solved)

SamLT samuel.lethiec at intelunix.fr
Tue Jan 11 05:50:01 GMT 2011


On Mon, Jan 10, 2011 at 01:03:39PM -0600, richardvoigt at gmail.com wrote:
> On Mon, Jan 10, 2011 at 1:01 PM, richardvoigt at gmail.com <
> richardvoigt at gmail.com> wrote:
> 
> >
> >
> > On Mon, Jan 10, 2011 at 12:53 PM, Jan Seiffert <
> > kaffeemonster at googlemail.com> wrote:
> >
> >> 2011/1/10 andu novac <novac.andu at gmail.com>:
> >> >> You're welcome.  However you would not say "nice crystal ball" if you
> >> saw
> >> >> the scratch marks it leaves on the furniture ;)
> >> >
> >> > Furniture is replaceable, I'd say it's worth it :)
> >> >
> >>
> >> But since your furniture may be of value...
> >> Someone already solved this quite nicely, look at the iptables manpage:
> >>
> >
> > This is fantastic if you must control stuff centrally.  But it will result
> > in every outgoing packet getting fragmented.  Reducing the mtu on the client
> > avoids that.
> >
> 
> Oh nevermind, it affect the TCP option negotiation, so it causes the client
> to send smaller packets.  So it is a general solution for TCP (and only
> TCP).  For UDP, the mtu still needs to be reduced at the client.
> 


Reducing the mtu on the client side will also mean they'll use this mtu
for local traffic which isn't usually a good idea (performance wise:
lower speed, higher cpu usage).


> 
> >
> >
> >>
> >> TCPMSS
> >>       This target allows to alter the MSS value of TCP SYN packets,
> >> to control the maximum size for that connection (usually  lim‐
> >>       iting  it  to your outgoing interface's MTU minus 40 for IPv4
> >> or 60 for IPv6, respectively).  Of course, it can only be used
> >>       in conjunction with -p tcp.  It is only valid in the mangle table.
> >>       This target is used to overcome criminally braindead ISPs or
> >> servers which block  "ICMP  Fragmentation  Needed"  or  "ICMPv6
> >>       Packet  Too  Big" packets.  The symptoms of this problem are
> >> that everything works fine from your Linux firewall/router, but
> >>       machines behind it can never exchange large packets:
> >>        1) Web browsers connect, then hang with no data received.
> >>        2) Small mail works fine, but large emails hang.
> >>        3) ssh works fine, but scp hangs after initial handshaking.
> >>       Workaround: activate this option and add a rule to your
> >> firewall configuration like:
> >>
> >>               iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN
> >>                           -j TCPMSS --clamp-mss-to-pmtu
> >>
> >>       --set-mss value
> >>              Explicitly sets MSS option to specified value. If the
> >> MSS of the packet is already lower than value, it will  not  be
> >>              increased (from Linux 2.6.25 onwards) to avoid more
> >> problems with hosts relying on a proper MSS.
> >>
> >>       --clamp-mss-to-pmtu
> >>              Automatically  clamp  MSS  value  to  (path_MTU - 40 for
> >> IPv4; -60 for IPv6).  This may not function as desired where
> >>              asymmetric routes with differing path MTU exist — the
> >> kernel uses the path MTU which it would  use  to  send  packets
> >>              from  itself  to the source and destination IP
> >> addresses. Prior to Linux 2.6.25, only the path MTU to the destination
> >>              IP address was considered by this option; subsequent
> >> kernels also consider the path MTU to the source IP address.
> >>
> >>       These options are mutually exclusive
> >>
> >>
> >> Greetings
> >> Jan
> >>
> >> --
> >> Murphy's Law of Combat
> >> Rule #3: "Never forget that your weapon was manufactured by the
> >> lowest bidder"
> >>
> >> _______________________________________________
> >> Dnsmasq-discuss mailing list
> >> Dnsmasq-discuss at lists.thekelleys.org.uk
> >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >>
> >
> >

> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss




More information about the Dnsmasq-discuss mailing list