iptables and MSS-clamp
Hi there! I have a problem with mss-clamping in iptables. Here is a Suse 8.2-box with an ADSL-Connection (TDSL from Deutsche Telekom AG; Germany) that serves internet access for some win-clients. As many ohters in this situation, I ran into the mss-problem: "some websites ar'nt accessible with the win-clients" and I solve this on other boxes by using SuSE-Firewall. But this time I have a router with 3 internal ethernet-devices, so I could'nt use SuSeFirewall. With someones help (who I can't ask now), I put a iptables-script together. This script runs fine for dialup-connections so I reuse this and insert the TCPMSS-line in the forward-rules. It simply doesn't, what it should do: some websites aren't reacheable ("waiting for de.search.yahoo.com" in Mozilla) but reacheable by lynx on the Linux-router-box. Has anyone an idea, how to solve this? My knowledge in iptables is very limited, because other networking stuff is more important for me. Unfortunatly, this problem comes up suddenly and I have no time for "trial & error - learning" so I only can "learning by example" this time. As usual, I have searched the internet and read the two HOWTOs coming with the iptables.rpm in SuSE - no luck :(. Does someone know, where I have to look at? Thanks in advantage Andreas Here is the script: ----snip--- #!/bin/sh echo "1" > /proc/sys/net/ipv4/ip_forward; iptables --flush ###################################################### #ROUTING ###################################################### iptables -t nat -F; iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE ###################################################### #FORWARD ###################################################### iptables -F FORWARD iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT iptables -A FORWARD -s 192.168.2.0/24 -j ACCEPT iptables -A FORWARD -d 192.168.2.0/24 -j ACCEPT iptables -A FORWARD -s 192.168.4.0/24 -j ACCEPT iptables -A FORWARD -d 192.168.4.0/24 -j ACCEPT iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu ###################################################### #INPUT ###################################################### iptables -A INPUT -s 127.0.0.1 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -s 192.168.2.0/24 -j ACCEPT iptables -A INPUT -s 192.168.4.0/24 -j ACCEPT iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT ##################################################### #Create chain which blocks new connections, except if coming from inside #################################################### iptables -N block iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A block -j DROP ###################################################### #Jump to that chain from INPUT and FORWARD chains. ###################################################### iptables -A INPUT -j block iptables -A FORWARD -j block ###################################################### #OUTPUT ###################################################### iptables -P OUTPUT ACCEPT iptables -F OUTPUT ###################################################### echo "iptables set" ----snap----
Hi Andreas, On Sun, 2003-12-21 at 00:49, Andreas Paulick wrote:
Hi there!
I have a problem with mss-clamping in iptables. Here is a Suse 8.2-box with an ADSL-Connection (TDSL from Deutsche Telekom AG; Germany) that
The order of iptables- rules *does* matter:
iptables -F FORWARD iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT iptables -A FORWARD -s 192.168.2.0/24 -j ACCEPT iptables -A FORWARD -d 192.168.2.0/24 -j ACCEPT iptables -A FORWARD -s 192.168.4.0/24 -j ACCEPT iptables -A FORWARD -d 192.168.4.0/24 -j ACCEPT iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
You ACCEPT packets before you clamp-mss-to-pmtu, so: just put the last line *first* (after that -F line), and it should work.
iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT
^^^^^^^^^^^^ sorry, but bad idea: You probably wont ssh-access to your machine for everybody in this world :-) And another sorry: Your block- rules wont work this way too :-( This is my suggested script for you: #!/bin/sh EXT_IF="ppp+" INT_IF="eth+" # init # DROP everything, except we allow it namely iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -t filter -F iptables -t nat -F # lo iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # stateful iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # forward: mss iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # forward: accept all to outside iptables -A FORWARD -m state --state NEW -i $INT_IF -o $EXT_IF -j ACCEPT # forward: !proofme: accept all between ethernet- interfaces?! iptables -A FORWARD -m state --state NEW -i $INT_IF -o $INT_IF -j ACCEPT # input: from inside accept all iptables -A INPUT -m state --state NEW -i $INT_IF -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -m state --state NEW -i $INT_IF -s 192.168.2.0/24 -j ACCEPT iptables -A INPUT -m state --state NEW -i $INT_IF -s 192.168.4.0/24 -j ACCEPT # output !proofme: does your firewall need permission to talk to the world?! # iptables -A OUTPUT -j ACCEPT # nat iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE # log the remaining rubbish ? # iptables -A FORWARD -j LOG --log-prefix "FWD-log: " # iptables -A INPUT -j LOG --log-prefix "INPUT-log: " # and go echo 1 > /proc/sys/net/ipv4/ip_forward Best regards, Sandro Littke.
Hi, What's the problem with SuSEfirewall? AFAIK using more than one internal interface shouldn't be a problem. Another solution would be running a proxy (maybe in transparent mode). Regards, Holger Am Sonntag, 21. Dezember 2003 01:49 schrieb Andreas Paulick:
Hi there!
I have a problem with mss-clamping in iptables. Here is a Suse 8.2-box with an ADSL-Connection (TDSL from Deutsche Telekom AG; Germany) that serves internet access for some win-clients. As many ohters in this situation, I ran into the mss-problem: "some websites ar'nt accessible with the win-clients" and I solve this on other boxes by using SuSE-Firewall. But this time I have a router with 3 internal ethernet-devices, so I could'nt use SuSeFirewall. With someones help (who I can't ask now), I put a iptables-script together. This script runs fine for dialup-connections so I reuse this and insert the TCPMSS-line in the forward-rules. It simply doesn't, what it should do: some websites aren't reacheable ("waiting for de.search.yahoo.com" in Mozilla) but reacheable by lynx on the Linux-router-box.
Has anyone an idea, how to solve this? My knowledge in iptables is very limited, because other networking stuff is more important for me. Unfortunatly, this problem comes up suddenly and I have no time for "trial & error - learning" so I only can "learning by example" this time. As usual, I have searched the internet and read the two HOWTOs coming with the iptables.rpm in SuSE - no luck :(.
Does someone know, where I have to look at?
Thanks in advantage Andreas
Here is the script: ----snip--- #!/bin/sh echo "1" > /proc/sys/net/ipv4/ip_forward; iptables --flush ###################################################### #ROUTING ######################################################
iptables -t nat -F; iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
###################################################### #FORWARD ######################################################
iptables -F FORWARD iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT iptables -A FORWARD -s 192.168.2.0/24 -j ACCEPT iptables -A FORWARD -d 192.168.2.0/24 -j ACCEPT iptables -A FORWARD -s 192.168.4.0/24 -j ACCEPT iptables -A FORWARD -d 192.168.4.0/24 -j ACCEPT iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
###################################################### #INPUT ######################################################
iptables -A INPUT -s 127.0.0.1 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -s 192.168.2.0/24 -j ACCEPT iptables -A INPUT -s 192.168.4.0/24 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT
##################################################### #Create chain which blocks new connections, except if coming from inside ####################################################
iptables -N block iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A block -j DROP
###################################################### #Jump to that chain from INPUT and FORWARD chains. ######################################################
iptables -A INPUT -j block iptables -A FORWARD -j block
###################################################### #OUTPUT ######################################################
iptables -P OUTPUT ACCEPT iptables -F OUTPUT
###################################################### echo "iptables set" ----snap----
participants (3)
-
Andreas Paulick
-
Holger Schletz
-
Sandro Littke