# SOLVED Incorrect MTU Value

## JasonX

I have server with installed: hardened-sources-2.6.20-r2

ppp-2.4.4-r4

pptpd-1.3.4

iptables-1.3.5

I want to share internet acces by means of pptpd with home network.

Pptp is working, cause i can access google.com and ping any host in the internet by connecting at pptpd server on my home computer. But i can't access some other sites.

Iptables do masquerading like this:

```
# Generated by iptables-save v1.3.5 on Mon Jun 11 12:25:27 2007

*nat

:PREROUTING ACCEPT [3222421:375165346]

:POSTROUTING ACCEPT [2403:316023]

:OUTPUT ACCEPT [3705:411018]

-A POSTROUTING -o $external_lan_card -j MASQUERADE

COMMIT

# Completed on Mon Jun 11 12:25:27 2007

# Generated by iptables-save v1.3.5 on Mon Jun 11 12:25:27 2007

*mangle

:PREROUTING ACCEPT [13788077:9064935440]

:INPUT ACCEPT [10695153:8710372630]

:FORWARD ACCEPT [22593:7430284]

:OUTPUT ACCEPT [9658031:8993421075]

:POSTROUTING ACCEPT [9682300:9001223727]

COMMIT

# Completed on Mon Jun 11 12:25:27 2007

# Generated by iptables-save v1.3.5 on Mon Jun 11 12:25:27 2007

*filter

:INPUT ACCEPT [10695157:8710372733]

:FORWARD ACCEPT [22266:7380952]

:OUTPUT ACCEPT [9658037:8993421895]

-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

COMMIT

# Completed on Mon Jun 11 12:25:27 2007

```

Where $external_lan_card is lan card connected to cable modem with to dedicated line.

Refering to the Home Router Guide i added to the iptables ruleset(as you can see above):

```
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
```

But with no result.

```
tcpdump -i ppp0

12:24:27.537852 IP 172.27.0.20.1560 > focus.tutby.com.http: S 1287278607:1287278607(0) win 16384 <mss 1360,nop,nop,sackOK>

12:24:27.544684 IP 172.27.0.20.1561 > sitecheck.opera.com.http: S 2195706936:2195706936(0) win 16384 <mss 1360,nop,nop,sackOK>

12:24:27.550930 IP focus.tutby.com.http > 172.27.0.20.1560: S 808044345:808044345(0) ack 1287278608 win 5840 <mss 1356,nop,nop,sackOK>

```

Please help.Last edited by JasonX on Fri Jun 15, 2007 8:02 am; edited 2 times in total

----------

## Kvetch

Okay I have no clue exactly but I don't believe TCPMSS --clamp-mss-to-pmtu is actually a real fix just a kludgey patch for some network issues not guaranteed to work.  I ran across this 

http://lists.netfilter.org/pipermail/netfilter/2004-July/054802.html

I am not the best at packet reading but are those packets fragmented or does it not show that option if it isn't set?  If you toss the -vv switch I think it should show the fragment/DF option no matter what.

Nick

----------

## JasonX

 *Kvetch wrote:*   

> I am not the best at packet reading but are those packets fragmented or does it not show that option if it isn't set?  If you toss the -vv switch I think it should show the fragment/DF option no matter what.
> 
> Nick

 

```
tcpdump -i ppp0 

12:24:27.537852 IP 172.27.0.20.1560 > focus.tutby.com.http: S 1287278607:1287278607(0) win 16384 <mss 1360,nop,nop,sackOK> 

12:24:27.544684 IP 172.27.0.20.1561 > sitecheck.opera.com.http: S 2195706936:2195706936(0) win 16384 <mss 1360,nop,nop,sackOK> 

12:24:27.550930 IP focus.tutby.com.http > 172.27.0.20.1560: S 808044345:808044345(0) ack 1287278608 win 5840 <mss 1356,nop,nop,sackOK>
```

This is packets after -clamp-mss-to-pmtu option set.

----------

## Kvetch

I don't have anything to test on but wouldn't you need to do it in postrouting and on the ppp0 interface?

```
-A POSTROUTING -o ppp0 -p tcp --tcp-flags SYN,RST SYN -m tcp -j TCPMSS --clamp-mss-to-pmtu

-A POSTROUTING -o ppp0 -j MASQUERADE
```

----------

## JasonX

 *Kvetch wrote:*   

> I don't have anything to test on but wouldn't you need to do it in postrouting and on the ppp0 interface?
> 
> ```
> -A POSTROUTING -o ppp0 -p tcp --tcp-flags SYN,RST SYN -m tcp -j TCPMSS --clamp-mss-to-pmtu
> 
> ...

 

Presice please to what table each rule I must add.

The strange thing is that on usuall gentoo with Gentoo Base System release 1.12.9, 2.6.12-gentoo-r10, ppp-2.4.4-r4, pptpd-1.3.3, iptables-1.3.4 all works well 

```
iptables -t nat -A POSTROUTING -o $ext_lan_card -j MASQUERADE
```

 without any additional rule like 

```
-A POSTROUTING -o ppp0 -p tcp --tcp-flags SYN,RST SYN -m tcp -j TCPMSS --clamp-mss-to-pmtu
```

Any proposal about above sentence?

And about your advice. Article DF reset / MSS clamp pmtu. In iptables 1.3.5 --clear is unknown argument. Or you advice me to apply patch of Dmitry Labutcky?

----------

## Kvetch

 *JasonX wrote:*   

> The strange thing is that on usuall gentoo with Gentoo Base System release 1.12.9, 2.6.12-gentoo-r10, ppp-2.4.4-r4, pptpd-1.3.3, iptables-1.3.4 all works well 
> 
> ```
> iptables -t nat -A POSTROUTING -o $ext_lan_card -j MASQUERADE
> ```
> ...

 

Oh sorry, I didn't know that.  I have no clue why hardened would cause these issues.  Maybe the hardened kernel configuration has something that messes with network traffic but I really thought Hardened only handles file level, memory level aslr and ipc junk but I have only played with it a few times.

 *JasonX wrote:*   

> And about your advice. Article DF reset / MSS clamp pmtu. In iptables 1.3.5 --clear is unknown argument. Or you advice me to apply patch of Dmitry Labutcky?

 

I am not saying use it, because I am not qualified enough to really know but it might be worth a shot.  Make a copy of your kernel sources and try patching it and see what happens.

Sorry I can't be of any more help.

----------

## JasonX

The problem were in the ppp interface. By default settings it's mtu were set to 1396. I set in ip-up script 

```
ifconfig $1 mtu 1400
```

 and then camed elation. For russian speak users there is additional link pptpd+mtu problem

One questino appeared. If i try to set 

```
mtu 1400
```

 in iptions.pptpd this useless - mtu in ifconfig stays 1396. Why? Doesn't this supported by pptpd ?

Thanks Kvetch for the help.

----------

