> From: "Peter E. Fry" <pfry-lists@xxxxxxxxxxxx> > Date: Tue, 03 Jun 2003 22:33:08 -0500 > > In that case I'll take a wild stab. I'd guess that the traffic > passing through the clamper is not TCP at that point -- it's either > UDP or ESP, and therefore unaffected by TCP MSS clamping. Use > IPTables to log the packets passing to your remote, and see what they > are. Your guess about the cause of the problem was wrong, but your suggestion for debugging it helped me find the solution! I was specifying the MSS clamping with "-A FORWARD", but apparently the packets in question were never going through the FORWARD chain because they were being NATed. So I added a rule to my nat table, and now the MTU clamping works. In other words, in addition to this: iptables -t filter -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu I now have this as well: iptables -t nat -A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu I guess the problem I had is what comes from trying to apply a cookbook without fully understanding it. Question: Is it worth mentioning this in the LARTC guide in the section that talks about MSS clamping, so that other naifs like me can avoid this problem? Thanks, Jonathan Kamens
