pptp tunnel mss clamping

William Murray w.j.murray at rl.ac.uk
Sun Jun 29 20:41:41 UTC 2008

   Hi all,
        I am having big trouble with a pptp tunnel from a home network to
work. I need to prevent large frames coming back through the tunnel.
For years I used this in the firewall/nat iptables setup:

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1100

but something, (upgrading F7 to F9, I think) has stopped it working. I 
have been
trying lots of examples of the WWW and have no luck. Does anyone know what
changed - or even which table I should be applying this to?

Also, it is hard to debug as wireshark does not receive the large frame 
brings down the tunnel.  Is there an easy way to generate arbitrary 
sized frames?

Thanks for any help.
Ps: My rules:. Rather guessed at...
[root at base sbin]# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
REJECT     udp  --  anywhere             anywhere            udp 
dpt:bootps reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere            udp 
dpt:domain reject-with icmp-port-unreachable
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere            tcp 
DROP       udp  --  anywhere             anywhere            udp 

Chain FORWARD (policy DROP)
target     prot opt source               destination        
DROP       all  --  anywhere        
ACCEPT     all  --       anywhere           
ACCEPT     all  --  anywhere        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain RH-Firewall-1-INPUT (0 references)
target     prot opt source               destination

