From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bart Kus Subject: Problem with getting reply packets Date: Fri, 30 Jan 2009 15:55:39 -0800 Message-ID: <4983937B.4060200@bartk.us> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: netfilter@vger.kernel.org Hey everyone, I would greatly appreciate some help with the following problem. Setup: Inet -> Netgear -> WifiRouter -> CoreRouter Connection comes from inet to Netgear's public IP. DMZ on Netgear takes it to WifRouter's IP within the internal net of Netgear. DMZ on WifiRouter takes it to CoreRouter's IP. CoreRouter is running sshd and replies to WifiRouter. WifiRouter does NOT forward the packet to Netgear. A state is established in ip_conntrack but never matures beyond SYN_RECV status. Here's the iptables of WifiRouter: # Generated by iptables-save v1.3.5 on Wed Jan 28 19:08:14 2009 *filter :INPUT ACCEPT [4336:476922] :FORWARD ACCEPT [2565:152535] :OUTPUT ACCEPT [4208:1526248] :FIREWALL - [0:0] -A INPUT -j FIREWALL -A FORWARD -j FIREWALL COMMIT # Completed on Wed Jan 28 19:08:14 2009 # Generated by iptables-save v1.3.5 on Wed Jan 28 19:08:14 2009 *nat :PREROUTING ACCEPT [266:57188] :POSTROUTING ACCEPT [1378:65372] :OUTPUT ACCEPT [54:4039] -A PREROUTING -i ath0 -p tcp -m tcp --dport 443 -j ACCEPT -A PREROUTING -i ath0 -j DNAT --to-destination 192.168.44.17 -A POSTROUTING -o ath0 -j MASQUERADE COMMIT # Completed on Wed Jan 28 19:08:14 2009 Here's the routing table on WifiRouter: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.44.16 0.0.0.0 255.255.255.240 U 0 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ath0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 ath0 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 ath0 And here's the relevant ip_conntrack entry of WifiRouter after a SYN has been sent, and CoreRouter has properly transmitted a SYN+ACK back @ WifiRouter: tcp 6 59 SYN_RECV src=98.233.248.36 dst=192.168.1.200 sport=50587 dport=22 src=192.168.44.17 dst=98.233.248.36 sport=22 dport=50587 use=1 98.233.248.36 is the remote IP trying for an in bound connection. 192.168.1.200 is the WifiRouter's IP on the private Netgear net. 192.168.44.18 is the other WifiRouter IP but on the private net with CoreRouter. 192.168.44.17 is the CoreRouter's IP on the private net with WifiRouter. Here's a packet capture on the CoreRouter interface to show the incoming and reply packets: 15:46:17.132370 IP (tos 0x20, ttl 48, id 16938, offset 0, flags [DF], proto TCP (6), length 64) 98.233.248.36.50587 > 192.168.44.17.22: S, cksum 0xedf4 (correct), 1412062838:1412062838(0) win 65535 15:46:17.132502 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) 192.168.44.17.22 > 98.233.248.36.50587: S, cksum 0x61ec (correct), 817829122:817829122(0) ack 1412062839 win 5792 I verified that the MACs are also correct via WireShark. Why is the reply (SYN+ACK) not being associated with this SYN_RECV state entry and being propagated back out to the internet? --Bart