1 |
On Wednesday 14 January 2009, Mick wrote: |
2 |
> On Monday 12 January 2009, Walter Dnes wrote: |
3 |
|
4 |
> > The only suggestion I've found via Google is iptables "mangle". Does |
5 |
> > it manage to change MSS without changing MTU? If so, what is the |
6 |
> > invocation in the "mangle" table? |
7 |
|
8 |
> It would probably be something like: |
9 |
> |
10 |
> iptables --insert OUTPUT --jump TCPMSS --protocol tcp --set-mss 1408 |
11 |
|
12 |
Oops! I just checked the manual: |
13 |
=========================================================== |
14 |
TCPMSS |
15 |
This target allows to alter the MSS value of TCP SYN packets, to control |
16 |
the maximum size for that connection (usually limiting it to your outgoing |
17 |
interface's MTU minus 40). Of course, it can only be used in conjunction |
18 |
with -p tcp. It is only valid in the *mangle* table. |
19 |
=========================================================== |
20 |
|
21 |
Then the rule can be set as follows: |
22 |
=========================================================== |
23 |
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ |
24 |
-j TCPMSS --set-mss 1408 |
25 |
=========================================================== |
26 |
|
27 |
If you have forwarding disabled on your box I would try the OUTPUT chain |
28 |
instead of FORWARD and see what this gets you. |
29 |
|
30 |
> I think you can also set the advertised (by your machine) MSS for a network |
31 |
> using ip route: |
32 |
> |
33 |
> ip route add 192.168.1.0/24 dev eth0 advmss 1408 |
34 |
> |
35 |
> PS. I am not sure if the above will break your connection because of |
36 |
> dropped packets, or how it will interact with the MTU set at 1492. In my |
37 |
> case I have just set my MTU at 1492 to cater for the PPP authentication on |
38 |
> my ISP's ADSL network. I leave the MSS to be at what the kernel wants it |
39 |
> to be - typically MSS = MTU - 40. |
40 |
|
41 |
Hope this helps. |
42 |
-- |
43 |
Regards, |
44 |
Mick |