|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[suse-security] iptables and MSS-clamp
From: Andreas Paulick (a-paulick
t-online.de)
Date: Sat Dec 20 2003 - 18:49:12 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi there!
I have a problem with mss-clamping in iptables. Here is a Suse 8.2-box
with an ADSL-Connection (TDSL from Deutsche Telekom AG; Germany) that
serves internet access for some win-clients. As many ohters in this
situation, I ran into the mss-problem: "some websites ar'nt accessible
with the win-clients" and I solve this on other boxes by using
SuSE-Firewall. But this time I have a router with 3 internal
ethernet-devices, so I could'nt use SuSeFirewall.
With someones help (who I can't ask now), I put a iptables-script
together. This script runs fine for dialup-connections so I reuse this
and insert the TCPMSS-line in the forward-rules. It simply doesn't, what
it should do: some websites aren't reacheable ("waiting for
de.search.yahoo.com" in Mozilla) but reacheable by lynx on the
Linux-router-box.
Has anyone an idea, how to solve this? My knowledge in iptables is very
limited, because other networking stuff is more important for me.
Unfortunatly, this problem comes up suddenly and I have no time for
"trial & error - learning" so I only can "learning by example" this time.
As usual, I have searched the internet and read the two HOWTOs coming
with the iptables.rpm in SuSE - no luck :(.
Does someone know, where I have to look at?
Thanks in advantage
Andreas
Here is the script:
----snip---
#!/bin/sh
echo "1" > /proc/sys/net/ipv4/ip_forward;
iptables --flush
######################################################
#ROUTING
######################################################
iptables -t nat -F;
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
######################################################
#FORWARD
######################################################
iptables -F FORWARD
iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.2.0/24 -j ACCEPT
iptables -A FORWARD -d 192.168.2.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.4.0/24 -j ACCEPT
iptables -A FORWARD -d 192.168.4.0/24 -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
######################################################
#INPUT
######################################################
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -s 192.168.2.0/24 -j ACCEPT
iptables -A INPUT -s 192.168.4.0/24 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT
#####################################################
#Create chain which blocks new connections, except if coming from inside
####################################################
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A block -j DROP
######################################################
#Jump to that chain from INPUT and FORWARD chains.
######################################################
iptables -A INPUT -j block
iptables -A FORWARD -j block
######################################################
#OUTPUT
######################################################
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
######################################################
echo "iptables set"
----snap----
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]