The MTU is low because the PPPoE<->PPPoA modem uses 8 bytes from the
ethernet frame size limit, and Demon has a tendency to be useless
about breaking path-MTU discovery; so apply TCP MSS clamping.
iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
iface eth3 untrusted vpn default
iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default
iface eth2 dmz unsafe safe untrusted vpn sgo colobdry
iface eth3 untrusted vpn default
iface t6-he default
iface vpn-precision colobdry vpn sgo
iface vpn-chiark sgo
iface t6-he default
iface vpn-precision colobdry vpn sgo
iface vpn-chiark sgo
run iptables -t nat -X
run iptables -t nat -N outbound
run iptables -t nat -X
run iptables -t nat -N outbound
-run iptables -t nat -A outbound -j RETURN ! -o eth0
+run iptables -t nat -A outbound -j RETURN ! -o ppp0
run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23
run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28
run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23
run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158
run iptables -t nat -A POSTROUTING -j outbound
run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23
run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28
run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23
run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158
run iptables -t nat -A POSTROUTING -j outbound
+## TCP MSS clamping to help given Demon's sluggish approach to fragmentation-
+## needed errors.
+run ip46tables -t mangle -A FORWARD -o ppp0 -p tcp --tcp-flags SYN,RST SYN \
+ -j TCPMSS --clamp-mss-to-pmtu
+
## Set up NAT protocol helpers. In particular, SIP needs some special
## twiddling.
run modprobe nf_conntrack_sip \
## Set up NAT protocol helpers. In particular, SIP needs some special
## twiddling.
run modprobe nf_conntrack_sip \
~mdw / firewall / commitdiff