From: Mark Wooding Date: Sun, 14 Oct 2012 16:25:25 +0000 (+0100) Subject: local.m4, radius.m4: radius is now the host gateway to the net. X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/commitdiff_plain/8506ff83e7ea0db6fc8f7d56d702730d75f38fb6 local.m4, radius.m4: radius is now the host gateway to the net. The MTU is low because the PPPoE<->PPPoA modem uses 8 bytes from the ethernet frame size limit, and Demon has a tendency to be useless about breaking path-MTU discovery; so apply TCP MSS clamping. --- diff --git a/local.m4 b/local.m4 index 324265c..523c11a 100644 --- a/local.m4 +++ b/local.m4 @@ -76,6 +76,7 @@ defhost radius iface eth1 dmz unsafe safe untrusted vpn sgo colobdry default iface eth2 dmz unsafe safe untrusted vpn sgo colobdry iface eth3 untrusted vpn default + iface ppp0 default iface t6-he default iface vpn-precision colobdry vpn sgo iface vpn-chiark sgo diff --git a/radius.m4 b/radius.m4 index 180b8ac..2d5f8aa 100644 --- a/radius.m4 +++ b/radius.m4 @@ -66,13 +66,18 @@ run iptables -t nat -F run iptables -t nat -X run iptables -t nat -N outbound -run iptables -t nat -A outbound -j RETURN ! -o eth0 +run iptables -t nat -A outbound -j RETURN ! -o ppp0 run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23 run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28 run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23 run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158 run iptables -t nat -A POSTROUTING -j outbound +## TCP MSS clamping to help given Demon's sluggish approach to fragmentation- +## needed errors. +run ip46tables -t mangle -A FORWARD -o ppp0 -p tcp --tcp-flags SYN,RST SYN \ + -j TCPMSS --clamp-mss-to-pmtu + ## Set up NAT protocol helpers. In particular, SIP needs some special ## twiddling. run modprobe nf_conntrack_sip \