路由器TCPMSS target

TCPMSS target

The TCPMSS target can be used to alter the MSS (Maximum Segment Size) value of TCP SYN packets that the firewall sees. The MSS value is used to control the maximum size of packets for specific connections. Under normal circumstances, this means the size of the MTU (Maximum Transfer Unit) value, minus 40 bytes. This is used to overcome some ISP's and servers that block ICMP fragmentation needed packets, which can result in really weird problems which can mainly be described such that everything works perfectly from your firewall/router, but your local hosts behind the firewall can't exchange large packets. This could mean such things as mail servers being able to send small mails, but not large ones, web browsers that connect but then hang with no data received, and ssh connecting properly, but scp hangs after the initial handshake. In other words, everything that uses any large packets will be unable to work.

TCPMSS目标用来改变路由器防火墙能够识别的TCP syn包中的MSS（最大分段长度）标示位值。MSS值用来控制特定连接中包的长度。一般情况下，MSS值等于MTU（最大传输单位）值减去40. TCPMSS目标用来解决一些奇怪的问题：ISP（网络服务提供商）或服务器会阻塞大的ICMP包，这样会导致路由器工作正常，而在路由器后面的本地主机工作异常，不能传输大的数据包。这可能意味着邮件服务器能够发送小邮件，不能发送大邮件；web浏览器能够连接服务端却不能接收数据；ssh能够连接上，但在初始化握手后的scp却挂住了。换句话说，需要大数据包的操作都将不能正常操作。

The TCPMSS target is able to solve these problems, by changing the size of the packets going out through a connection. Please note that we only need to set the MSS on the SYN packet since the hosts take care of the MSS after that. The target takes two arguments.

TCPMSS目标通过改变从一个连接出去的包的大小来剞劂这些问题。注意仅仅需要设置SYN包中的MSS标记位，因为主机将会在收到SYN包后检测MSS。

Table 11-13. TCPMSS target options

Option

--set-mss

Example

iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS --set-mss 1460

Explanation

The --set-mss argument explicitly sets a specific MSS value of all outgoing packets. In the example above, we set the MSS of all SYN packets going out over the eth0 interface to 1460 bytes -- normal MTU for ethernet is 1500 bytes, minus 40 bytes is 1460 bytes. MSS only has to be set properly in the SYN packet, and then the peer hosts take care of the MSS automatically.

Option

--clamp-mss-to-pmtu

Example

iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS --clamp-mss-to-pmtu

Explanation

The --clamp-mss-to-pmtu automatically sets the MSS to the proper value, hence you don't need to explicitly set it. It is automatically set to PMTU (Path Maximum Transfer Unit) minus 40 bytes, which should be a reasonable value for most applications.

 

 

MSS（Maxitum Segment Size）最大传输大小的缩写，是TCP协议里面的一个概念。MSS就是TCP数据包每次能够传输的最大数据分段。为了达到最佳的传输效能TCP协议在建 立连接的时候通常要协商双方的MSS值，这个值TCP协议在实现的时候往往用MTU值代替（需要减去IP数据包包头的大小20Bytes和TCP数据段的 包头20Bytes）所以往往MSS为1460。通讯双方会根据双方提供的MSS值得最小值确定为这次连接的最大MSS值。