Change MSS in iptables
I have two setups where I want to change the MSS on packets flowing through a system. In the first I have enp2s0 and enp3s0 setup as a bridge. Is there any way to have iptables modify the MSS on the inbound packet before it passes it back out?
[root@localhost network-scripts]# ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp1s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
link/ether 00:60:e0:6f:8c:62 brd ff:ff:ff:ff:ff:ff
3: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP qlen 1000
link/ether 00:60:e0:6f:8c:63 brd ff:ff:ff:ff:ff:ff
4: enp0s31f6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:60:e0:6f:8c:61 brd ff:ff:ff:ff:ff:ff
inet 192.168.5.248/24 brd 192.168.5.255 scope global enp0s31f6
valid_lft forever preferred_lft forever
inet6 fe80::1842:306e:fb55:fe3/64 scope link
valid_lft forever preferred_lft forever
5: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP qlen 1000
link/ether 00:60:e0:6f:8c:64 brd ff:ff:ff:ff:ff:ff
7: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 00:60:e0:6f:8c:63 brd ff:ff:ff:ff:ff:ff
inet6 fe80::260:e0ff:fe6f:8c63/64 scope link
valid_lft forever preferred_lft forever
[root@localhost network-scripts]#
In my second case I have all traffic set to go to a fictitious tun0 which sends the traffic to queue 0 where a snort like software analyzes the packets.
root@pink:~/blue# iptables-save
# Generated by iptables-save v1.6.0 on Sun Jan 14 13:22:07 2018
*raw
:PREROUTING ACCEPT [84:6848]
:OUTPUT ACCEPT [21:2348]
-A PREROUTING -i tun0 -j NFQUEUE --queue-num 0
COMMIT
# Completed on Sun Jan 14 13:22:07 2018
# Generated by iptables-save v1.6.0 on Sun Jan 14 13:22:07 2018
*filter
:INPUT ACCEPT [110838:165446612]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [87556:6202390]
COMMIT
# Completed on Sun Jan 14 13:22:07 2018
root@pink:~/blue#
I tried this https://www.frozentux.net/iptables-tutorial/chunkyhtml/x4721.html but it did not seem to work.
You can use the TCPMSS iptables target to modify the TCP MSS value, i.e. perform MSS clamping.
To force a specific MSS (here: 800) use:
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 800
Note that this gets a little bit tricky if you are using conntrack. This rule has to come before the conntrack rule. Otherwise it will only work for SYN packets but not for SYN ACKs which will get accepted by conntrack before they hit the TCPMSS rule.
Also note that MSS clamping is a hack and is only needed if you have broken end-user applications.