2010-05-15 17:07:40 +00:00 · 2010-05-15 17:07:40 +00:00 · 3f0c737fd8
parent caacd92bc9
commit 3f0c737fd8
3 changed files with 38 additions and 6 deletions
--- a/1
+++ b/1
@ -1,4 +1,5 @@
 0.7 - Brielle Bruns <bruns@2mbit.com>
+	- MSS Clamp on IPv6 as well
 	- Beginning support for bogons filtering and updater
 	  script.

--- a/options.default
+++ b/options.default
@ -20,7 +20,8 @@ FORWARD=1
 BLOCKINCOMING=1

 # Clamp MSS, useful on DSL/VPN links
-#CLAMPMSS=ppp0
+# Space separated list of interfaces to apply this on
+#CLAMPMSS="ppp0 eth0"

 # Do we run a LAN DHCP server?
 #LANDHCPSERVER=1
@ -74,6 +75,11 @@ IPV6BLOCKINCOMING=1
 # Useful if clients do not have proper ipv6 firewalls.
 #IPV6ROUTEDCLIENTBLOCK=1

+# Clamp MSS, useful on DSL/VPN links
+# Space separated list of interfaces to apply this on
+# it may be used eventually.
+#CLAMPMSSIPV6="he-ipv6"
+
 # Interface IPv6 comes in on (either tunnel or real network interface)
 #IPV6INT=he-ipv6

--- a/rc.firewall
+++ b/rc.firewall
@ -46,11 +46,21 @@ fi

 if [ $CLAMPMSS ]; then
 	echo "Clamping MSS to PMTU..."
-	iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
-		--clamp-mss-to-pmtu
-	iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
-		--clamp-mss-to-pmtu
-
+	for i in $CLAMPMSS; do
+		$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
+			--clamp-mss-to-pmtu -o $i --mss 1400:1536
+		$IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
+			--clamp-mss-to-pmtu -o $i --mss 1400:1536
+		# This is necessary to make sure that PMTU works
+		$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded \
+			-o $i -j ACCEPT
+		$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \
+			-i $i -j ACCEPT
+		$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
+			-o $i -j ACCEPT
+		$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed \
+			-i $i -j ACCEPT
+	done
 	#$IPTABLES -t mangle -o $CLAMPMSS -A FORWARD -p tcp \
        #	--tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 \
        #	-j TCPMSS --clamp-mss-to-pmtu
@ -152,10 +162,17 @@ fi



+
+
 if [ $NAT ]; then
 	for i in $NATRANGE; do
 		$IPTABLES -A POSTROUTING -t nat -s $i -o $NATEXTIF -j SNAT --to-source $NATEXTIP
 	done
+	# This is necessary to make sure that PMTU works
+	$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o $NATEXTIF \
+			-j ACCEPT
+	$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
+			-o $NATEXTIF -j ACCEPT
 fi

 $IPTABLES --policy INPUT ACCEPT
@ -187,6 +204,14 @@ if [ $IPV6 ]; then
 	done
 	echo -ne "\n"

+
+	if [ $CLAMPMSSIPV6 ]; then
+        	echo "Clamping IPv6 MSS to PMTU..."
+        	ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
+                	--clamp-mss-to-pmtu
+        	ip6tables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
+                --clamp-mss-to-pmtu
+	fi
 	echo -n "Adding allowed IPv6 port: "

 	for i in $IPV6TCP; do