Re: Problem with getting reply packets

[Pascal Hambourg <pascal.mail@plouf.fr.eu.org>]

Hello,

Bart Kus a écrit :
> 
> Setup:  Inet -> Netgear -> WifiRouter -> CoreRouter
> 
> Connection comes from inet to Netgear's public IP.  DMZ on Netgear takes 
> it to WifRouter's IP within the internal net of Netgear.  DMZ on 
> WifiRouter takes it to CoreRouter's IP.  CoreRouter is running sshd and 
> replies to WifiRouter.  WifiRouter does NOT forward the packet to 
> Netgear.  A state is established in ip_conntrack but never matures 
> beyond SYN_RECV status.  Here's the iptables of WifiRouter:
[...]
> And here's the relevant ip_conntrack entry of WifiRouter after a SYN has 
> been sent, and CoreRouter has properly transmitted a SYN+ACK back @ 
> WifiRouter:
> 
> tcp      6 59 SYN_RECV src=98.233.248.36 dst=192.168.1.200 sport=50587 
> dport=22 src=192.168.44.17 dst=98.233.248.36 sport=22 dport=50587 use=1
[...]
> Why is the reply (SYN+ACK) not being associated with this SYN_RECV state 
> entry

It is. The SYN_RECV states indicates that the SYN+ACK was successfully 
associated to the connection. Otherwise the conntrack entry would show 
SYN_SENT and [UNREPLIED] instead.

> and being propagated back out to the internet?

No clue, sorry. Did you try to trace it through the iptables chains ?