[suse-security] iptables and MSS-clamp

[Andreas Paulick <a-paulick@xxxxxxxxxxx>]

Hi there!

I have a problem with mss-clamping in iptables. Here is a Suse 8.2-box 
with an ADSL-Connection (TDSL from Deutsche Telekom AG; Germany) that 
serves internet access for some win-clients. As many ohters in this 
situation, I ran into the mss-problem: "some websites ar'nt accessible 
with the win-clients" and I solve this on other boxes by using 
SuSE-Firewall. But this time I have a router with 3 internal 
ethernet-devices, so I could'nt use SuSeFirewall.
With someones help (who I can't ask now), I put a iptables-script 
together. This script runs fine for dialup-connections so I reuse this 
and insert the TCPMSS-line in the forward-rules. It simply doesn't, what 
it should do: some websites aren't reacheable ("waiting for 
de.search.yahoo.com" in Mozilla) but reacheable by lynx on the 
Linux-router-box.

Has anyone an idea, how to solve this? My knowledge in iptables is very 
limited, because other networking stuff is more important for me. 
Unfortunatly, this problem comes up suddenly and I have no time for 
"trial & error - learning" so I only can "learning by example" this time.
As usual, I have searched the internet and read the two HOWTOs coming 
with the iptables.rpm in SuSE - no luck :(.

Does someone know, where I have to look at?

Thanks in advantage
Andreas


Here is the script:
----snip---
#!/bin/sh
echo "1" > /proc/sys/net/ipv4/ip_forward;
iptables --flush
######################################################
#ROUTING
######################################################

iptables -t nat -F;
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

######################################################
#FORWARD
######################################################

iptables -F FORWARD
iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.2.0/24 -j ACCEPT
iptables -A FORWARD -d 192.168.2.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.4.0/24 -j ACCEPT
iptables -A FORWARD -d 192.168.4.0/24 -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS 
--clamp-mss-to-pmtu

######################################################
#INPUT
######################################################

iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -s 192.168.2.0/24 -j ACCEPT
iptables -A INPUT -s 192.168.4.0/24 -j ACCEPT

iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT

#####################################################
#Create chain which blocks new connections, except if coming from inside
####################################################

iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A block -j DROP

######################################################
#Jump to that chain from INPUT and FORWARD chains.
######################################################

iptables -A INPUT -j block
iptables -A FORWARD -j block

######################################################
#OUTPUT
######################################################

iptables -P OUTPUT ACCEPT
iptables -F OUTPUT

######################################################
echo "iptables set"
----snap----



--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here