What is the best commands to list IPtables in a Sophos Firewall and also remove a MTU rule?
Hello Ben,
Thank you for contacting the Sophos Community.
You can use:
#ipset -L (To list out all output of IPset tables ipset -L <set name> : To list out detail about particular set)
#ipset -L | more (To show one page at the time)
About the MTU rule, what is the command you used to set the MTU?
Regards,
iptables -t mangle -I POSTROUTING -d 172.19.0.0/16 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 900
Is the command looking at removing.
You can run # iptables -t mangle -D POSTROUTING -d 172.19.0.0/16 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 900This will delete the entry(s) matching 172.19.0.0/16 located in the POSTROUTING, so if you have two entries for example:
Chain POSTROUTING (policy ACCEPT 4 packets, 240 bytes) pkts bytes target prot opt in out source destination optimization 0 0 TCPMSS tcp -- * * 0.0.0.0/0 172.19.0.0/16 - tcp flags:0x06/0x02 TCPMSS set 900 0 0 TCPMSS tcp -- * * 0.0.0.0/0 172.19.0.0/16 - tcp flags:0x06/0x02 TCPMSS set 900
Then this will delete both of them, since they are duplicated, you can then just re-run the command.
# iptables -t mangle -I POSTROUTING -d 172.19.0.0/16 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 900
Also check if the entries are not part of the start script
# cat /scripts/system/clientpref/customization_application_startup.sh
Thanks Emmanuel for the response, if I want to add it in the startup.sh, what is the best way to do that?
Thanks,
Ben
Enable editing of the startup script:
mount -no remount,rw /Use vi to edit /scripts/system/clientpref/customization_application_startup.sh and add the lines. This should then look like:
#!/bin/sh iptables -t mangle -D POSTROUTING -d 172.19.0.0/16 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 900exit 0;
Save the changes and exit viWrite protect the startup script again:mount -no remount,ro /Note:
In High Availability clusters the above will need to be applied on both nodes.
