Problem with getting reply packets

[Bart Kus <me@bartk.us>]

Hey everyone, I would greatly appreciate some help with the following 
problem.

Setup:  Inet -> Netgear -> WifiRouter -> CoreRouter
 
Connection comes from inet to Netgear's public IP.  DMZ on Netgear takes 
it to WifRouter's IP within the internal net of Netgear.  DMZ on 
WifiRouter takes it to CoreRouter's IP.  CoreRouter is running sshd and 
replies to WifiRouter.  WifiRouter does NOT forward the packet to 
Netgear.  A state is established in ip_conntrack but never matures 
beyond SYN_RECV status.  Here's the iptables of WifiRouter:

# Generated by iptables-save v1.3.5 on Wed Jan 28 19:08:14 2009
*filter
:INPUT ACCEPT [4336:476922]
:FORWARD ACCEPT [2565:152535]
:OUTPUT ACCEPT [4208:1526248]
:FIREWALL - [0:0]
-A INPUT -j FIREWALL
-A FORWARD -j FIREWALL
COMMIT
# Completed on Wed Jan 28 19:08:14 2009
# Generated by iptables-save v1.3.5 on Wed Jan 28 19:08:14 2009
*nat
:PREROUTING ACCEPT [266:57188]
:POSTROUTING ACCEPT [1378:65372]
:OUTPUT ACCEPT [54:4039]
-A PREROUTING -i ath0 -p tcp -m tcp --dport 443 -j ACCEPT
-A PREROUTING -i ath0 -j DNAT --to-destination 192.168.44.17
-A POSTROUTING -o ath0 -j MASQUERADE
COMMIT
# Completed on Wed Jan 28 19:08:14 2009
 
Here's the routing table on WifiRouter:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
192.168.44.16   0.0.0.0         255.255.255.240 U     0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 ath0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 ath0
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 ath0

And here's the relevant ip_conntrack entry of WifiRouter after a SYN has 
been sent, and CoreRouter has properly transmitted a SYN+ACK back @ 
WifiRouter:
 
tcp      6 59 SYN_RECV src=98.233.248.36 dst=192.168.1.200 sport=50587 
dport=22 src=192.168.44.17 dst=98.233.248.36 sport=22 dport=50587 use=1

98.233.248.36 is the remote IP trying for an in bound connection.  
192.168.1.200 is the WifiRouter's IP on the private Netgear net.  
192.168.44.18 is the other WifiRouter IP but on the private net with 
CoreRouter.  192.168.44.17 is the CoreRouter's IP on the private net 
with WifiRouter.

Here's a packet capture on the CoreRouter interface to show the incoming 
and reply packets:

15:46:17.132370 IP (tos 0x20, ttl 48, id 16938, offset 0, flags [DF], 
proto TCP (6), length 64) 98.233.248.36.50587 > 192.168.44.17.22: S, 
cksum 0xedf4 (correct), 1412062838:1412062838(0) win 65535 <mss 
1460,nop,wscale 1,nop,nop,timestamp 406286523 0,sackOK,eol>
15:46:17.132502 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
TCP (6), length 60) 192.168.44.17.22 > 98.233.248.36.50587: S, cksum 
0x61ec (correct), 817829122:817829122(0) ack 1412062839 win 5792 <mss 
1460,sackOK,timestamp 342830119 406286523,nop,wscale 6>

I verified that the MACs are also correct via WireShark.
 
Why is the reply (SYN+ACK) not being associated with this SYN_RECV state 
entry and being propagated back out to the internet?


--Bart