1This target allows to alter the MSS value of TCP SYN packets, to control 2the maximum size for that connection (usually limiting it to your 3outgoing interface's MTU minus 40). Of course, it can only be used 4in conjunction with 5.BR "-p tcp" . 6It is only valid in the 7.BR mangle 8table. 9.br 10This target is used to overcome criminally braindead ISPs or servers 11which block ICMP Fragmentation Needed packets. The symptoms of this 12problem are that everything works fine from your Linux 13firewall/router, but machines behind it can never exchange large 14packets: 15.PD 0 16.RS 0.1i 17.TP 0.3i 181) 19Web browsers connect, then hang with no data received. 20.TP 212) 22Small mail works fine, but large emails hang. 23.TP 243) 25ssh works fine, but scp hangs after initial handshaking. 26.RE 27.PD 28Workaround: activate this option and add a rule to your firewall 29configuration like: 30.nf 31 iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\ 32 -j TCPMSS --clamp-mss-to-pmtu 33.fi 34.TP 35.BI "--set-mss " "value" 36Explicitly set MSS option to specified value. 37.TP 38.B "--clamp-mss-to-pmtu" 39Automatically clamp MSS value to (path_MTU - 40). 40.TP 41These options are mutually exclusive. 42