On Sun, Mar 19, 2006 at 01:37:39AM +0100, Krzysztof Oledzki wrote: > > > On Fri, 17 Mar 2006, Alexander Samad wrote: > > >Hi > > > >I was resently setting up my new firewall usimng openwrt on a linksys. > > > >I got around to setting up my adsl connection and added into my iptables > >these commands > > > > > > > >$IPT -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > >$IPT -t filter -A FORWARD -o $WANADSL -p tcp --tcp-flags SYN,RST SYN -j > >TCPMSS --clamp-mss-to-pmtu > >$IPT -t nat -A POSTROUTING -o $WANADSL -j MASQUERADE > > > >which is what I have normally done. > > > >http traffic worked well, but ftp of large files, timed out, sign of a > >mtu problem. It worked when I ftp'ed from the firewall, but not when I > >did it from behind the firewall. > > > >When I did some tcpdumps, I noticed that the second connection created > >by the client wasn't being clamp'ed. > > > >The way I figure it was that the second connection was related to the > >first one, and thus being consumed by the first line in iptables (above) > > > >Once I changed the order of line 1 and 2 every thing worked fine. > > > >Now openwrt uses 2.4.30, and my previous firewall used 2.6 and I believe > >it was setup as shown above and it worked fine. > > > >The other difference is that conntrack_ftp is compiled into the kernel. > > > >Is this a know feature/bug ? why has it worked in 2.6 and not in 2.4 or > >is the problem in compiled in and as a module > > The solution is simple: TCPMSS should be used only in mangle table. > Anyway, if you didn't change the configuration I have no idea why it > worked in 2.6 and does not work in 2.4. makes sense, ran foul of the man page Workaround: activate this option and add a rule to your firewall configuration like: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ -j TCPMSS --clamp-mss-to-pmtu > > Best regards, > > Krzysztof Ol?dzki
Attachment:
signature.asc
Description: Digital signature