Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: iptables: User

How to remove TCP options when doing NAT?

 

 

iptables user RSS feed   Index | Next | Previous | View Threaded


Fabrice.Triboix at imgtec

Jun 27, 2007, 2:51 AM

Post #1 of 4 (1317 views)
Permalink
How to remove TCP options when doing NAT?

Hi,

I have noticed that to handle masquerading, linux adds some TCP
options to the output packets (for a TCP stream, of course).

I would like to know if there is a way to avoid that? Or more
accurately: is it possible to tell the linux kernel to do the
masquerading without adding these TCP options?

Thank you very much for any help,

Fabrice Triboix
-
This message is subject to Imagination Technologies' e-mail terms: http://www.imgtec.com/e-mail.htm
-


blancher at cartel-securite

Jun 27, 2007, 8:12 AM

Post #2 of 4 (1238 views)
Permalink
Re: How to remove TCP options when doing NAT? [In reply to]

Le mercredi 27 juin 2007 à 10:51 +0100, Fabrice Triboix a écrit :
> I have noticed that to handle masquerading, linux adds some TCP
> options to the output packets (for a TCP stream, of course).

What kind of options ? I just looked at a NATed (by a Linux box) TCP
stream between 2 linux boxes, and I don't see any additional TCP option.


--
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!


blancher at cartel-securite

Jun 28, 2007, 4:32 AM

Post #3 of 4 (1251 views)
Permalink
RE: How to remove TCP options when doing NAT? [In reply to]

Le jeudi 28 juin 2007 à 12:00 +0100, Fabrice Triboix a écrit :
> From ethereal, I can see 20 bytes of options added on each TCP packets.
> These are TCP options that are added after the standard TCP header of 20
> bytes, thus the total TCP header size is 40 bytes.
> These 20 bytes of options are (dixit ethereal):
> - Maximum segment size: 1460 bytes (I can understand that: 1500 - 40)
> - SACK permitted
> - Timestamps: TSval 360225, TSecr 0
> - NOP
> - Window scale: 0 (multiply by 1)

What were the options that were not present _before_ the gateway ?

> Anyone knows how I can configure Linux not to do that?

I don't know of any mangling extension for TCP options, like
IPV4OPTSSTRIP for IP options.



PS: pls keep the list Cced...

--
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!


Fabrice.Triboix at imgtec

Jun 28, 2007, 6:26 AM

Post #4 of 4 (1230 views)
Permalink
RE: How to remove TCP options when doing NAT? [In reply to]

Hi Cedric,

> What were the options that were not present _before_ the gateway ?

I have some difficulties to understand the question...
The TCP packets coming from the local network (before the gateway) do
not have extra options in their TCP headers. Their TCP headers are 20
bytes in size.


> I don't know of any mangling extension for TCP options, like
> IPV4OPTSSTRIP for IP options.

I guess it is part of the NAT mechanisms... I just would like to know
whether this is configurable or not...
I forgot to mention that I am using Linux 2.6.18, arch i686.


> PS: pls keep the list Cced...

Yes, my mistake!!


Cheers,

Fabrice

-
This message is subject to Imagination Technologies' e-mail terms: http://www.imgtec.com/e-mail.htm
-

iptables user RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.