pptp tunnel mss clamping

Hi all,
I am having big trouble with a pptp tunnel from a home network to
work. I need to prevent large frames coming back through the tunnel.
For years I used this in the firewall/nat iptables setup:

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1100

but something, (upgrading F7 to F9, I think) has stopped it working. I have been
trying lots of examples of the WWW and have no luck. Does anyone know what
changed - or even which table I should be applying this to?

Also, it is hard to debug as wireshark does not receive the large frame which
brings down the tunnel. Is there an easy way to generate arbitrary sized frames?

Thanks for any help.
Ps: My rules:. Rather guessed at...
[root@base sbin]# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere REJECT udp -- anywhere anywhere udp dpt:bootps reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:domain reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp dpts:spr-itunes:1023
DROP udp -- anywhere anywhere udp dpts:0:1023

Chain FORWARD (policy DROP)
target prot opt source destination DROP all -- anywhere 168.254.0.0/16 ACCEPT all -- 168.254.0.0/16 anywhere ACCEPT all -- anywhere 168.254.0.0/16

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination




--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • Re: pptp tunnel mss clamping
    ... I need to prevent large frames coming back through the tunnel. ... Chain INPUT (policy ACCEPT) ... Your iptables output doesn't show TCPMSS at all. ...
    (Fedora)
  • RE: tcp_push_pending_frames() without TCP_CORK or TCP_NODELAY
    ... I thought about turning cork on an off. ... In one of the applications I am stuck with I have a USB device on one machine that I ... Now consider running PPP on that device over that tunnel. ... I am not really interested in delaying the front of the frames as much as I am ...
    (Linux-Kernel)
  • error with multiple SAs (and a Cisco router)
    ... but the Linux router sends frames with the old ... and they are ignored at the Cisco router (as I suspect; ... Cisco sends frames with the new spi, and at the same time, sends: ... forwarded to the tunnel? ...
    (comp.os.linux.networking)
  • Re: Source for eccentric bb that fits English-threaded frame?
    ... that fits English-thread bb frames and provides limited chain adjustment for single-speeds. ... White ENO eccentric hub for bikes with the 'wrong' frame ends has sufficient offset for fixed-length chain. ... It really needs sharp knurled axle ends like a normal hub. ...
    (rec.bicycles.tech)
  • Re: Source for eccentric bb that fits English-threaded frame?
    ... bb that fits English-thread bb frames and provides limited chain adjustment for single-speeds. ... White ENO eccentric hub for bikes with the 'wrong' frame ends has sufficient offset for fixed-length chain. ... Mine is torqued down within an inch of its life with a long allen key, I've roughened the axle ends with a file and degreased the dropouts but the chain still goes gradually slack over 100 miles or so. ...
    (rec.bicycles.tech)