Hi Andreas, On Sun, 2003-12-21 at 00:49, Andreas Paulick wrote:
Hi there!
I have a problem with mss-clamping in iptables. Here is a Suse 8.2-box with an ADSL-Connection (TDSL from Deutsche Telekom AG; Germany) that
The order of iptables- rules *does* matter:
iptables -F FORWARD iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT iptables -A FORWARD -s 192.168.2.0/24 -j ACCEPT iptables -A FORWARD -d 192.168.2.0/24 -j ACCEPT iptables -A FORWARD -s 192.168.4.0/24 -j ACCEPT iptables -A FORWARD -d 192.168.4.0/24 -j ACCEPT iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
You ACCEPT packets before you clamp-mss-to-pmtu, so: just put the last line *first* (after that -F line), and it should work.
iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT
^^^^^^^^^^^^ sorry, but bad idea: You probably wont ssh-access to your machine for everybody in this world :-) And another sorry: Your block- rules wont work this way too :-( This is my suggested script for you: #!/bin/sh EXT_IF="ppp+" INT_IF="eth+" # init # DROP everything, except we allow it namely iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -t filter -F iptables -t nat -F # lo iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # stateful iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # forward: mss iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # forward: accept all to outside iptables -A FORWARD -m state --state NEW -i $INT_IF -o $EXT_IF -j ACCEPT # forward: !proofme: accept all between ethernet- interfaces?! iptables -A FORWARD -m state --state NEW -i $INT_IF -o $INT_IF -j ACCEPT # input: from inside accept all iptables -A INPUT -m state --state NEW -i $INT_IF -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -m state --state NEW -i $INT_IF -s 192.168.2.0/24 -j ACCEPT iptables -A INPUT -m state --state NEW -i $INT_IF -s 192.168.4.0/24 -j ACCEPT # output !proofme: does your firewall need permission to talk to the world?! # iptables -A OUTPUT -j ACCEPT # nat iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE # log the remaining rubbish ? # iptables -A FORWARD -j LOG --log-prefix "FWD-log: " # iptables -A INPUT -j LOG --log-prefix "INPUT-log: " # and go echo 1 > /proc/sys/net/ipv4/ip_forward Best regards, Sandro Littke.