Hi, What's the problem with SuSEfirewall? AFAIK using more than one internal interface shouldn't be a problem. Another solution would be running a proxy (maybe in transparent mode). Regards, Holger Am Sonntag, 21. Dezember 2003 01:49 schrieb Andreas Paulick:
Hi there!
I have a problem with mss-clamping in iptables. Here is a Suse 8.2-box with an ADSL-Connection (TDSL from Deutsche Telekom AG; Germany) that serves internet access for some win-clients. As many ohters in this situation, I ran into the mss-problem: "some websites ar'nt accessible with the win-clients" and I solve this on other boxes by using SuSE-Firewall. But this time I have a router with 3 internal ethernet-devices, so I could'nt use SuSeFirewall. With someones help (who I can't ask now), I put a iptables-script together. This script runs fine for dialup-connections so I reuse this and insert the TCPMSS-line in the forward-rules. It simply doesn't, what it should do: some websites aren't reacheable ("waiting for de.search.yahoo.com" in Mozilla) but reacheable by lynx on the Linux-router-box.
Has anyone an idea, how to solve this? My knowledge in iptables is very limited, because other networking stuff is more important for me. Unfortunatly, this problem comes up suddenly and I have no time for "trial & error - learning" so I only can "learning by example" this time. As usual, I have searched the internet and read the two HOWTOs coming with the iptables.rpm in SuSE - no luck :(.
Does someone know, where I have to look at?
Thanks in advantage Andreas
Here is the script: ----snip--- #!/bin/sh echo "1" > /proc/sys/net/ipv4/ip_forward; iptables --flush ###################################################### #ROUTING ######################################################
iptables -t nat -F; iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
###################################################### #FORWARD ######################################################
iptables -F FORWARD iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT iptables -A FORWARD -s 192.168.2.0/24 -j ACCEPT iptables -A FORWARD -d 192.168.2.0/24 -j ACCEPT iptables -A FORWARD -s 192.168.4.0/24 -j ACCEPT iptables -A FORWARD -d 192.168.4.0/24 -j ACCEPT iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
###################################################### #INPUT ######################################################
iptables -A INPUT -s 127.0.0.1 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -s 192.168.2.0/24 -j ACCEPT iptables -A INPUT -s 192.168.4.0/24 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT
##################################################### #Create chain which blocks new connections, except if coming from inside ####################################################
iptables -N block iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A block -j DROP
###################################################### #Jump to that chain from INPUT and FORWARD chains. ######################################################
iptables -A INPUT -j block iptables -A FORWARD -j block
###################################################### #OUTPUT ######################################################
iptables -P OUTPUT ACCEPT iptables -F OUTPUT
###################################################### echo "iptables set" ----snap----