[Bug 554] Packet illegaly bypassing SNAT

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Tue Apr 17 05:04:00 CEST 2007


------- Additional Comments From fhagur at gmail.com  2007-04-17 05:04 MET -------
I have been wondering about this bug and had similar problems myself here in my
Debian system, linux-kernel 2.6.18 iptables 1.3.6.

I too saw that some packets became transmitted illegally through the ppp0
interface, when they just shoudn't.
What I did was to clamp the MSS - Max Segment Size.

It's a known thing and since the adoption of the newest internet routers the
acceptance of long packets are ok and they do transmit then. Actually the
packets are not illegal for the newest routers and servers (like apache) but for
the oldest and not so featured (IIS, old Ciscos routers, etc) don't like it and
don't reply your requests correctly, trying strange behaviours like checking arp
addresses on the Internet for your internal NAT'ed NICs.

So, go to your ppp/eth device connected to the Internet and clamp MSS to a value
as 1412. In Debian (and maybe other *nix'es) you can do this way:
pty pppoe -I eth0 -T80 -m 1412
Since eth0 is you _internal_ network and you should clamp theyr packets.

Flavio H. A. Gurgel

Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.

More information about the netfilter-buglog mailing list