IPtables --- TCPMSS target

最新推荐文章于 2024-08-13 10:21:14 发布

转载最新推荐文章于 2024-08-13 10:21:14 发布 · 985 阅读

Linux iptables 专栏收录该内容

34 篇文章

订阅专栏

本文介绍TCPMSS（最大段尺寸）的概念及其在网络通信中的作用。TCPMSS用于控制TCP SYN包的最大段尺寸，以解决ISP或服务器阻塞大型ICMP包导致的数据交换问题。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

TCPMSS target

The TCPMSS target can be used to alter the MSS (Maximum Segment Size) value of TCP SYN packets that the firewall sees. The MSS value is used to control the maximum size of packets for specific connections. Under normal circumstances, this means the size of the MTU (Maximum Transfer Unit) value, minus 40 bytes. This is used to overcome some ISP's and servers that block ICMP fragmentation needed packets, which can result in really weird problems which can mainly be described such that everything works perfectly from your firewall/router, but your local hosts behind the firewall can't exchange large packets. This could mean such things as mail servers being able to send small mails, but not large ones, web browsers that connect but then hang with no data received, and ssh connecting properly, but scp hangs after the initial handshake. In other words, everything that uses any large packets will be unable to work.

TCPMSS 目标用来改变路由器防火墙能够识别的TCP syn 包中的MSS （最大分段长度）标示位值。MSS 值用来控制特定连接中包的长度。一般情况下，MSS 值等于MTU （最大传输单位）值减去40. TCPMSS 目标用来解决一些奇怪的问题：ISP （网络服务提供商）或服务器会阻塞大的ICMP 包，这样会导致路由器工作正常，而在路由器后面的本地主机工作异常，不能传输大的数据包。这可能意味着邮件服务器能够发送小邮件，不能发送大邮件；web 浏览器能够连接服务端却不能接收数据；ssh 能够连接上，但在初始化握手后的scp 却挂住了。换句话说，需要大数据包的操作都将不能正常操作。

The TCPMSS target is able to solve these problems, by changing the size of the packets going out through a connection. Please note that we only need to set the MSS on the SYN packet since the hosts take care of the MSS after that. The target takes two arguments.

TCPMSS 目标通过改变从一个连接出去的包的大小来剞劂这些问题。注意仅仅需要设置SYN 包中的MSS标记位，因为主机将会在收到SYN 包后检测MSS 。

Table 11-13. TCPMSS target options

Option	--set-mss
Example	iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS --set-mss 1460
Explanation	The --set-mss argument explicitly sets a specific MSS value of all outgoing packets. In the example above, we set the MSS of all SYN packets going out over the eth0 interface to 1460 bytes -- normal MTU for ethernet is 1500 bytes, minus 40 bytes is 1460 bytes. MSS only has to be set properly in the SYN packet, and then the peer hosts take care of the MSS automatically.
Option	--clamp-mss-to-pmtu
Example	iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS --clamp-mss-to-pmtu
Explanation	The --clamp-mss-to-pmtu automatically sets the MSS to the proper value, hence you don't need to explicitly set it. It is automatically set to PMTU (Path Maximum Transfer Unit) minus 40 bytes, which should be a reasonable value for most applications.

MSS （ Maxitum Segment Size ）最大传输大小的缩写，是 TCP 协议里面的一个概念。 MSS 就是 TCP数据包每次能够传输的最大数据分段。为了达到最佳的传输效能 TCP 协议在建立连接的时候通常要协商双方的 MSS 值，这个值 TCP 协议在实现的时候往往用 MTU 值代替（需要减去 IP 数据包包头的大小 20Bytes 和 TCP 数据段的包头 20Bytes ）所以往往 MSS 为 1460 。通讯双方会根据双方提供的MSS 值得最小值确定为这次连接的最大 MSS 值。