Home
 pgp
 ipx over ppp
 mss
 mss

Linux-2.4 iptables, masquerading and tunnels, like PPPoE

I started to setup a server to use T-DSL (ADSL, provided by Deutsche Telekom AG). As I need mirroring, which does not work well with Linux-2.2 for me, I am forced to use Linux-2.4 (test-versions). Using DSL (which is connected by PPPoE) to the server, does not make any problem (after the provider fixed it´s installation). But with masquerading, which I use for years for sharing an ISDN- and modem-PPP connections, did not work properly with the DSL. Traceroute and ping did work, but as soon as a TCP connection tried to get established, the communication got stuck.

After trying to get it to work, I asked some developer: Jamal Hadi and Marc Boucher answered to my question. Marc Boucher´s Solution did work for me:

Soloution:

  1. Skip to 4., as nowadays version of iptables did not need to be patched.
  2. Get iptables of a version > 1.1.1. At the moment I write this, you need to get the CVS version - but it works for me!
  3. In the iptables source tree (or netfilter/userspace/), do
    1. `make patch-o-matic': then apply the TCPMSS patch,
    2. recompile the kernel,
    3. build the iptables binary,   install and
    4. restart..
  4. Add to your working iptables-masquerading-setup the following command (one line!):

iptables  -I FORWARD  -p tcp  --tcp-flags SYN,RST SYN   -j TCPMSS   --clamp-mss-to-pmtu

I use this setup with a Linux-2.4.0-test11 kernel. For the explanation, see the mail I got from the two developers. But it is to be read with care. The solution described above is some days younger, than this mail. So things that are described as to be in the future, are now implemented.

I first made the mistake to apply one patch, of the iptables accompanied too much, what broke the ftp-masquerading.


All trademarks, or otherwise reserved names, are not specially marked here, and this does not imply, that they are freely usable.
[Home] [pgp] [ipx over ppp] [mss]