[RndTbl] double-natted ssh weirdness
Adam Thompson
athompso at athompso.net
Fri Mar 15 02:05:47 CDT 2024
Also if you want to be sure of avoiding all MSS issues, aim low, like 1024, instead of "just low enough" like 1396. You won't likely be able to measure the difference.
-Adam
Get Outlook for Android<https://aka.ms/AAb9ysg>
________________________________
From: Roundtable <roundtable-bounces at muug.ca> on behalf of Trevor Cordes <trevor at tecnopolis.ca>
Sent: Friday, March 15, 2024 1:51:40 AM
To: MUUG RndTbl <roundtable at muug.ca>
Subject: [RndTbl] double-natted ssh weirdness
I have a double-natted setup on one side (don't ask). I have
port-forwarding working all the way through into a linux box behind the
double-nat. Can connect great.
But certain things seem to make the ssh connection "pause", for like 2-3
mins. It usually recovers and I can continue like nothing ever happened.
What triggers it seems to be sudden medium-large output, like if I run an
ll or start top. Commands with little output don't seem to affect it, but
sometimes they do, especially if the connection has been idle. It'll show
me typing the command and then pause when I hit enter.
Rang bells, so I look at mss/mtu in past firewall setups and get the
iptables magic to clamp the mss. If I install the rule on the box then it
seems to make the pause problem go away, mostly. But often after idling
the problem will return.
As always, I'm hazy on the mss/mtu, and usually solve these with trial and
error -- if indeed this is another mss/mtu problem. (The gear involved is
all very old.)
Instead of just shooting random clamp mss rules in the dark, I thought I'd
hit up MUUG for ideas. I'd love to know how you can tell what the mss/mtu
has been chosen on a given connection. Also, do I need to run a clamper
on both sides? Or maybe other ideas that have nothing to do with mss/mtu?
What I've tried so far:
iptables -A INPUT -i eth1 -m tcpmss --mss 1397: -p tcp --dport ssh --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1396
_______________________________________________
Roundtable mailing list
Roundtable at muug.ca
https://muug.ca/mailman/listinfo/roundtable
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://muug.ca/pipermail/roundtable/attachments/20240315/443c0288/attachment-0001.htm>
More information about the Roundtable
mailing list