Why is a response to a NATted SYN not being un-NATted properly by iptables?
Andrew Gideon
an NFS client; on VLAN 6 is an NFS server. The client is sending a SYN
packet, and the server is responding with a SYN ACK. But the firewall
doesn't seem to think that the SYN ACK is associated with an ESTABLISHED
connection, and so the SYN ACK is being blocked.
The IPs involved are:
Pre NAT NFS Client: 192.168.2.74
Post NAT NFS Client: 10.10.79.199
NFS Server: 10.10.76.9
Here's a log of the two packets:
Oct 3 15:20:00 m10013 kernel: SYN to kuta:IN=eth0.7 OUT=eth0.6 SRC=192.168.2.74 DST=10.10.76.9 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=50765 DF PROTO=TCP SPT=800 DPT=2049 SEQ=2136479333 ACK=0 WINDOW=32120 RES=0x00 SYN URGP=0 OPT (020405B40402080A1FC887A90000000001030300)
Oct 3 15:20:00 m10013 kernel: Odd reply seen:IN=eth0.6 OUT= MAC=00:0d:60:83:7b:a8:08:00:20:b1:90:99:08:00 SRC=10.10.76.9 DST=10.10.79.199 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=48661 DF PROTO=TCP SPT=2049 DPT=800 SEQ=1122400943 ACK=2136479334 WINDOW=24616 RES=0x00 ACK SYN URGP=0 OPT (0101080A1FC119E81FC887A90103030001010402020405B4)
The real problem is with the un-NATting, I think. Even when I force the "Odd
reply seen" packet to be accepted by an explicit rule, the reply still doesn't
hit the NFS client. I don't believe that the packet to 10.10.79.199 from
the NFS server is being un-NATted.
What sort of problem would cause this, and for what should I be checking?
Thanks...
Andrew