IPTABLES NAT forgetting ESTABLISHED connections too soon?
Ramin Alidousti
ramin@cannon.eng.us.uu.net
Sat, 18 Aug 2001 13:24:06 -0400
On Sat, Aug 18, 2001 at 12:09:33PM -0500, Jim Garrison wrote:
> My syslog is littered with IPTABLES entries where the final RST ACK
If your client sends an RST (as opposed to FIN), then the state machine
does not have to go to the close-wait state and no other responses from
the server are being waited on. Are you sure that your client sends an
RST and not a FIN?
Ramin
> incoming packet for a valid outbound connection, that is in the
> process of being closed, is rejected by the firewall. This looks
> like the NAT code is "forgetting" about the ESTABLISHED connection
> as soon as the outgoing RST is sent but before the remote close
> response is received. This happens only sporadically, not on
> all outgoing connections.
>
> Example (my IP obfuscated :-)
>
> Aug 16 02:49:29 janus kernel: IN=eth0 OUT=
> MAC=00:a0:cc:3f:eb:6d:08:00:3e:03:7f:ce:08:00
> SRC=209.238.204.64 DST=xxx.xxx.40.99
> LEN=40 TOS=0x00 PREC=0x00 TTL=46 ID=53756 DF PROTO=TCP
> SPT=80 DPT=4134 WINDOW=49152 RES=0x00 ACK RST URGP=0
>
> The source is a website I just visited, with the outgoing
> connection initiated on port 4134. The rejected packet is
> obviously the response to an outgoing RST my system sent
> when closing the connection, but NAT doesn't seem to
> remember that it's part of an ESTABLISHED connection.
>
> Bug?
>
> Jim Garrison
> jhg@acm.org