Книга: Iptables Tutorial 1.2.2
The tcpmss match is used to match a packet based on the Maximum Segment Size in TCP. This match is only valid for SYN and SYN/ACK packets. For a more complete explanation of the MSS value, see the TCP options appendix, the RFC 793 - Transmission Control Protocol and the RFC 1122 - Requirements for Internet Hosts - Communication Layers documents. This match is loaded using -m tcpmss and takes only one option.
Table 10-29. Tcpmss match options
|Kernel||2.3, 2.4, 2.5 and 2.6|
|Example||iptables -A INPUT -p tcp --tcp-flags SYN,ACK,RST SYN -m tcpmss --mss 2000:2500|
|Explanation||The --mss option tells the tcpmss match which Maximum Segment Sizes to match. This can either be a single specific MSS value, or a range of MSS values separated by a :. The value may also be inverted as usual using the ! sign, as in the following example:|
|-m tcpmss ! --mss 2000:2500|
|This example will match all MSS values, except for values in the range 2000 through 2500.|