Problem :
What does this iptables rule mean: tcp flags:0x06/0x02 TCPMSS clamp to PMTU?
Doing iptables -vnL on my DD-WRT router shows the following rule in the FORWARD chain: TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU.
Instead of the common actions of ACCEPT or DROP it is TCPMSS. What does this mean?
Solution :
It’s a pretty standard iptables rule to prevent PMTU discovery issues.
From this:
… Path MTU Discovery doesn’t work as well as it should anymore. If you know for a fact that a hop somewhere in your
network has a limited (<1500) MTU, you cannot rely on PMTU Discovery
finding this out.Besides MTU, there is yet another way to set the maximum packet size,
the so called Maximum Segment Size. This is a field in the TCP Options
part of a SYN packet.Recent Linux kernels, and a few PPPoE drivers (notably, the excellent
Roaring Penguin one), feature the possibility to ‘clamp the MSS’.The good thing about this is that by setting the MSS value, you are
telling the remote side unequivocally ‘do not ever try to send me
packets bigger than this value’. No ICMP traffic is needed to get this
to work.The bad thing is that it’s an obvious hack – it breaks ‘end to end’ by
modifying packets. Having said that, we use this trick in many places
and it works like a charm.In order for this to work you need at least iptables-1.2.1a and Linux
2.4.3 or higher. The basic command line is:
# iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu