How to edit TCP window size from iptables?

Question

There is TCPMSS target to edit MSS value of connections (including forwarded).

How to edit window size (for example, cap to some maximum value) by iptables rule?

Expecting something like

iptables -t mangle -A OUTPUT -p tcp --dport 1234 -j TCPWINDOW --tcpwindow-set 'min(val,100000)'

Have to admit, pretty curious as to why you would want to do this? — Kyle Brandt, Aug 01 '13 at 19:59
I'm playing with traffic shaping currently and looking for various ways to limit inbound TCP traffic. I think capping the receive window + adding some delay (`tc qdisc ... netem delay ...`) can more or less cleanly set the speed of receiving without crude things like intentionally dropping valid packets. — Vi., Aug 01 '13 at 20:24
Dropping packets is a valid way to inform about congestion. Other way is using ECN (rfc3168), if both ends support it. — Teftin, Aug 01 '13 at 23:03

score 3 · Accepted Answer · answered Aug 12 '15 at 16:37

To change TCP window from iptables you need to:

iptables -t mangle -I OUTPUT -p tcp --sport 80 --tcp-flags SYN,ACK SYN,ACK -j TCPWIN --tcpwin-set 1000

score 0 · Answer 2 · answered Aug 08 '13 at 17:39

0

Yes, you can use the option --set-mss to achieve this.

Example:

iptables -I FORWARD -o ppp0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1492

answered Aug 08 '13 at 17:39

Jens Bradler

1

MSS and TCP Window are similar but still different things. – Bratchley Mar 31 '15 at 14:50
MSS is akin to IP MTU, so instead of reducing the window size you'd get smaller messages than the path MTU allows for, but still the same window size. – Marcelo Pacheco Jan 02 '21 at 21:53

2 Answers2