1This target allows to alter the MSS value of TCP SYN packets, to control 2the maximum size for that connection (usually limiting it to your 3outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively). 4Of course, it can only be used 5in conjunction with 6\fB\-p tcp\fP. 7.PP 8This target is used to overcome criminally braindead ISPs or servers 9which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big" 10packets. The symptoms of this 11problem are that everything works fine from your Linux 12firewall/router, but machines behind it can never exchange large 13packets: 14.IP 1. 4 15Web browsers connect, then hang with no data received. 16.IP 2. 4 17Small mail works fine, but large emails hang. 18.IP 3. 4 19ssh works fine, but scp hangs after initial handshaking. 20.PP 21Workaround: activate this option and add a rule to your firewall 22configuration like: 23.IP 24 iptables \-t mangle \-A FORWARD \-p tcp \-\-tcp\-flags SYN,RST SYN 25 \-j TCPMSS \-\-clamp\-mss\-to\-pmtu 26.TP 27\fB\-\-set\-mss\fP \fIvalue\fP 28Explicitly sets MSS option to specified value. If the MSS of the packet is 29already lower than \fIvalue\fP, it will \fBnot\fP be increased (from Linux 302.6.25 onwards) to avoid more problems with hosts relying on a proper MSS. 31.TP 32\fB\-\-clamp\-mss\-to\-pmtu\fP 33Automatically clamp MSS value to (path_MTU \- 40 for IPv4; \-60 for IPv6). 34This may not function as desired where asymmetric routes with differing 35path MTU exist \(em the kernel uses the path MTU which it would use to send 36packets from itself to the source and destination IP addresses. Prior to 37Linux 2.6.25, only the path MTU to the destination IP address was 38considered by this option; subsequent kernels also consider the path MTU 39to the source IP address. 40.PP 41These options are mutually exclusive. 42