« Use molly-guard and stop rebooting the wrong server | Main | The cord for PowerEdge 6650, Proliant DL580 G2, and other high powered devies. »

February 17, 2009

Fixing bad MSS discovery across iptables based firewalls

If you have an iptables based firewall with differing MTUs on it's public and private interfaces, you may need to use iptables TCPMSS target to force proper MSS discovery.

First, check to see if you have differing MTUs using ip link show [interface]. If they have the same MTU (generally 1500 for ethernet) or your external MTU is the larger value, then you most likely don't need MSS correction. If you're having trouble with MSS, you'll see things like web browsers that connect but then hang with no data received, and ssh connecting properly, but scp hangs after the initial handshake.

    spiffed:~$ ip link sh eth0
    2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 576 qdisc pfifo_fast qlen 1000
        link/ether 00:0c:41:87:82:9b brd ff:ff:ff:ff:ff:ff
    spiffed:~$ ip link sh eth1
    3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
        link/ether 00:b0:d0:96:6a:c9 brd ff:ff:ff:ff:ff:ff

Here you can see that my external interface (eth0) has a much smaller MTU of 576. Use a line like the following to magically clamp the MSS to 40 bytes below the MTU.

sudo iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eth1 -j TCPMSS --clamp-mss-to-pmtu

Largely based on the "Linux Packet Filtering and iptables" guide.

Posted by spiffed at February 17, 2009 9:16 PM

Comments

Post a comment