The TCPMSS target can be used to alter the MSS (Maximum
Segment Size) value of TCP SYN packets that the firewall sees. The MSS value is
used to control the maximum size of packets for specific connections. Under
normal circumstances, this means the size of the MTU (Maximum Transfer Unit)
value, minus 40 bytes. This is used to overcome some ISP's and servers that
block ICMP fragmentation needed packets, which can result in really weird
problems which can mainly be described such that everything works perfectly from
your firewall/router, but your local hosts behind the firewall can't exchange
large packets. This could mean such things as mail servers being able to send
small mails, but not large ones, web browsers that connect but then hang with no
data received, and ssh connecting properly, but scp hangs after the initial
handshake. In other words, everything that uses any large packets will be unable
to work.
The TCPMSS target is able to solve these problems, by changing the size of the
packets going out through a connection. Please note that we only need to set
the MSS on the SYN packet since the hosts take care of the MSS after that. The
target takes two arguments.
Table 11-13. TCPMSS target options
Option | --set-mss |
Example | iptables -t mangle -A POSTROUTING -p tcp --tcp-flags
SYN,RST SYN -o eth0 -j TCPMSS --set-mss 1460
|
Explanation | The --set-mss argument explicitly sets a specific MSS value
of all outgoing packets. In the example above, we set the MSS of all SYN packets
going out over the eth0 interface to 1460 bytes -- normal MTU for ethernet is
1500 bytes, minus 40 bytes is 1460 bytes. MSS only has to be set properly in the
SYN packet, and then the peer hosts take care of the MSS automatically.
|
Option | --clamp-mss-to-pmtu |
Example | iptables -t mangle -A POSTROUTING -p tcp --tcp-flags
SYN,RST SYN -o eth0 -j TCPMSS --clamp-mss-to-pmtu
|
Explanation | The --clamp-mss-to-pmtu automatically sets the MSS to the
proper value, hence you don't need to explicitly set it. It is automatically
set to PMTU (Path Maximum Transfer Unit) minus 40 bytes, which should be a
reasonable value for most applications.
|
| Works under Linux kernel 2.5 and 2.6.
|