{"id":121,"date":"2014-11-18T19:16:22","date_gmt":"2014-11-18T11:16:22","guid":{"rendered":"http:\/\/blog.haostudio.net\/hwp\/?p=121"},"modified":"2017-07-25T00:17:25","modified_gmt":"2017-07-24T16:17:25","slug":"pppoe-%e5%9c%a8-iptables-%e4%b8%ad-tcpmss-%e8%a8%ad%e5%ae%9a%e5%95%8f%e9%a1%8c","status":"publish","type":"post","link":"https:\/\/blog.haostudio.net\/hwp\/pppoe-%e5%9c%a8-iptables-%e4%b8%ad-tcpmss-%e8%a8%ad%e5%ae%9a%e5%95%8f%e9%a1%8c\/","title":{"rendered":"PPPoE \u5728 iptables \u4e2d TCPMSS \u8a2d\u5b9a\u554f\u984c"},"content":{"rendered":"\n

PPPoE \u5728 iptables \u4e2d TCPMSS \u8a2d\u5b9a\u554f\u984c<\/h1>\n

\u524d\u8a00<\/h2>\n

\u524d\u4e00\u9663\u5b50, \u60f3\u8981\u62ff\u6211\u7684 CubieBoard \u4f86\u7576\u505a\u5bb6\u88e1\u7684firewall, \u65bc\u662f\u5b89\u88dd\u4e86Debian 7, \u4e26\u4f7f\u7528pppoe \u4f86\u9023\u63a5\u4e2d\u83ef\u96fb\u4fe1\u7684Router, \u4e26\u4e14\u5beb\u4e86\u4e00\u4e9biptables \u7684rules \u4f86\u7576\u4f5cfirewall \u53caNAT router.\n\u4f46\u662f\u7e3d\u662f\u89ba\u5f97\u6709\u554f\u984c, \u6709\u6642\u9023\u4e0d\u51fa\u53bb. \u73fe\u8c61\u662f\u9019\u6a23\u7684:<\/p>\n

\u9019\u53f0Cubieboard \u9023\u7dda\u90fd\u5f88ok, \u4f46\u662f\u5728NAT \u5f8c\u9762\u7684\u96fb\u8166, \u53ea\u8981\u78b0\u4e0ahttps \u7684\u9023\u7dda, \u6709\u6642\u5c31\u9023\u4e0d\u4e0a, \u4f46\u662f\u7528http \u5c31ok, ftp \u4e5fok.<\/p>\n

\u9019\u554f\u984c\u64fa\u4e86\u5f88\u4e45\u90fd\u6c92\u53bb\u7406\u6703. \u4eca\u5929\u7d42\u65bc\u6709\u7a7a\u597d\u597d\u7684\u4f86\u8ffd\u554f\u984c\u7684\u6e90\u982d. \u767c\u73fe\u597d\u50cf\u662f\u8ddfpppoe \u6709\u95dc.\n\u4e0a\u7db2\u67e5\u4e86\u4e00\u4e0b\u8cc7\u6599, \u4e5f\u9806\u4fbf\u5b78\u7fd2\u4e86\u8a31\u591a\u76f8\u95dc\u77e5\u8b58, \u7d42\u65bc\u89e3\u6c7a\u4e86\u554f\u984c.<\/p>\n

MTU<\/h2>\n

MTU (Maximum Transmission Unit) \u662f\u6307\u7db2\u8def\u4ecb\u9762\u5361\u4e0a\u6700\u5927\u50b3\u8f38\u55ae\u5143, \u5176\u55ae\u4f4d\u70babytes. \u5728\u5927\u591a\u6578\u7684Ehternet \u4e0a, \u9019\u500b\u503c\u901a\u5e38\u662f1500. \u56e0\u70ba\u5982\u6b64, \u5728PPPoE \u4e2d, \u56e0\u70ba\u9084\u6709header\u554f\u984c, \u6240\u4ee5\u9019\u500b\u503c\u5c31\u5f97\u8a2d\u7684\u6bd4\u8f03\u5c0f, \u901a\u5e38\u70ba1492 (= 1500 – 2\uff08PPP\uff09- 6\uff08PPPoE))<\/p>\n

MSS<\/h2>\n

MSS (Maximum segment size) \u662fTCP protocol \u4e2d\u7684\u4e00\u500b\u53c3\u6578, \u662f\u6307TCP \u6bcf\u6b21\u8cc7\u6599\u50b3\u8f38\u5206\u6bb5\u7684\u6700\u5927\u503c. \u7576TCP \u5728handshake \u6642, \u96d9\u65b9host \u6703\u67e5\u770bMSS \u9019\u500b\u6b04\u4f4d, \u4f86\u6c7a\u5b9a\u96d9\u65b9\u8cc7\u6599\u50b3\u8f38\u5206\u6bb5\u7684\u5927\u5c0f. \u5728Ethernet \u4e2dMSS \u503c\u6700\u5927\u70ba1460 bytes.\n\u539f\u56e0\u662f\u5728Ethernet \u4e2d MTU = IP Header + TCP Header + MSS + FCS.
\n(FCS \u662f\u6307Frame check sequence, \u901a\u5e38\u63a1\u7528CRC\u6f14\u7b97\u6cd5, \u5728Ethernet \u4e2d, \u5b83\u4f544 bytes.)\n\u4f46\u662f\u5728PPPoE \u4e2dMTU \u70ba1492, \u6240\u4ee5\u5176MSS \u53ea\u80fd\u8a2d\u70ba1452.<\/p>\n

\u554f\u984c\u6240\u5728<\/h2>\n

\u7576Debian \u5728\u958b\u6a5f\u5f8c, \u555f\u52d5\u4e86ppp0, \u5176\u5167\u5b9a\u5c07MTU \u8a2d\u70ba1492, \u4e26\u4e14\u6703\u81ea\u52d5\u8a2d\u5b9a\u4e00\u689diptable rule, \u67e5\u770b\/etc\/ppp\/ip-up.d\/0clampmss \u5f97\u77e5\u5982\u4e0b:<\/p>\n

# cat \/etc\/ppp\/ip-up.d\/0clampmss \n#!\/bin\/sh\n1. Enable MSS clamping (autogenerated by pppoeconf)\n\niptables -t mangle -o "$PPP_IFACE" --insert FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:65495 -j TCPMSS --clamp-mss-to-pmtu\n<\/code><\/pre>\n
\u56e0\u70ba\u5728NAT \u5f8c\u9762\u7684\u96fb\u8166, \u4e26\u4e0d\u77e5\u9053\u524d\u7aef\u7684router \u662f\u7528\u4ec0\u9ebc\u4ecb\u9762\u9023\u5230internet, \u6240\u4ee5\u5b83\u548c\u9060\u7aef\u7684\u96fb\u8166\u5efa\u7acbTCP \u9023\u7dda\u6642, \u6709\u53ef\u80fd\u6703\u5c07MSS \u8a2d\u70ba1460. \u4f46\u662f\u7531\u65bcfirewall \u6216router \u7aef\u4f7f\u7528PPPoE\u9023\u7dda, \u82e5MSS \u5927\u65bc1452\u6703\u9020\u6210\u8cc7\u6599\u7206\u6389, \u6240\u4ee5\u4e0a\u8ff0\u7684iptable rule \u5f37\u5236\u5077\u6539\u5176MSS\u503c(\u5728IPV4\u4e0b = PMTU – 40, \u5728IPV6\u4e0b = PMTU – 60). \u56e0\u6b64MSS \u5c31\u6703\u88ab\u6539\u62101452, \u9019\u6a23\u5b50\u5c31\u4e0d\u6703\u7206\u6389\u4e86.<\/p>\n
\u4f46\u662f\u6211\u81ea\u5df1\u5beb\u7684iptable rule script \u4e2d, \u4e00\u958b\u59cb\u5c31\u7528\u4e86\u4e0b\u5217\u8a2d\u5b9a, \u6e05\u9664\u4e86\u539f\u4f86\u7684\u6240\u6709\u8a2d\u5b9a<\/p>\n
# \u6e05\u9664\u6240\u6709\u898f\u5247\niptables -F -t filter\niptables -X -t filter\niptables -Z -t filter\niptables -F -t mangle\niptables -X -t mangle\niptables -Z -t mangle\niptables -F -t nat\niptables -X -t nat\niptables -Z -t nat\n<\/code><\/pre>\n
\u9020\u6210\/etc\/ppp\/ip-up.d\/0clampmss \u7684\u8a2d\u5b9a\u4e5f\u88ab\u6e05\u9664\u6389\u4e86, \u7136\u5f8cNAT \u5f8c\u9762\u7684\u96fb\u8166\u5c31\u5e38\u5e38\u7121\u6cd5\u9023\u7dda.<\/p>\n
\u89e3\u6c7a\u65b9\u5f0f<\/h2>\n
\u65e2\u7136\u77e5\u9053\u539f\u56e0, \u89e3\u6cd5\u5c31\u5f88\u7c21\u55ae, \u5c31\u662f\u5728\u6211\u81ea\u5df1\u7684iptable rule \u4e2d\u518d\u52a0\u4e0a<\/p>\n
iptables -t mangle -o ppp0 --insert FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:65495 -j TCPMSS --clamp-mss-to-pmtu\n<\/code><\/pre>\n
\u5c31\u641e\u5b9a\u4e86!!<\/p>\n
\n
\u53c3\u8003\u8cc7\u6599<\/h3>\n
    \n
  1. \u6700\u5927\u50b3\u8f38\u55ae\u5143<\/a><\/li>\n
  2. Maximum segment size<\/a><\/li>\n
  3. Can’t connect to certain HTTPS sites<\/a><\/li>\n
  4. Installing Debian from the start a PPPoE enabled system<\/a><\/li>\n
  5. pppoeconf not setting correct MTU<\/a><\/li>\n
  6. \u4fee\u6539 MSS \u89e3\u6c7a Linux PPPOE NAT \u5f8c\u90e8\u4efd\u7db2\u9801\u7121\u6cd5\u700f\u89bd\u554f\u984c<\/a><\/li>\n
  7. How to Setup a Linux Firewall with PPPoE\/NAT\/iptables<\/a><\/li>\n
  8. IP over IP tunnels & MTU problems<\/a><\/li>\n
  9. \u5c0f\u8b70TCP\u7684MSS(\u6700\u5927\u5206\u6bb5)\u4ee5\u53caMTU<\/a><\/li>\n
  10. TCP\u4e2d\u7684MSS\u89e3\u8bfb<\/a><\/li>\n
  11. MTU\u539f\u7406\u53ca\u76f8\u95dc\u554f\u984c\u5206\u6790<\/a><\/li>\n<\/ol>","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[48,47,51,50,49],"class_list":["post-121","post","type-post","status-publish","format-standard","hentry","category-12","tag-firewall","tag-iptables","tag-mss","tag-mtu","tag-pppoe"],"_links":{"self":[{"href":"https:\/\/blog.haostudio.net\/hwp\/wp-json\/wp\/v2\/posts\/121","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.haostudio.net\/hwp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.haostudio.net\/hwp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.haostudio.net\/hwp\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.haostudio.net\/hwp\/wp-json\/wp\/v2\/comments?post=121"}],"version-history":[{"count":3,"href":"https:\/\/blog.haostudio.net\/hwp\/wp-json\/wp\/v2\/posts\/121\/revisions"}],"predecessor-version":[{"id":405,"href":"https:\/\/blog.haostudio.net\/hwp\/wp-json\/wp\/v2\/posts\/121\/revisions\/405"}],"wp:attachment":[{"href":"https:\/\/blog.haostudio.net\/hwp\/wp-json\/wp\/v2\/media?parent=121"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.haostudio.net\/hwp\/wp-json\/wp\/v2\/categories?post=121"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.haostudio.net\/hwp\/wp-json\/wp\/v2\/tags?post=121"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}