ACK lost after SYN,SYN/ACK when DNATting to do transparent Squid proxy
Ramin Alidousti
ramin@cannon.eng.us.uu.net
Wed, 19 Jun 2002 09:31:45 -0400
On Wed, Jun 19, 2002 at 11:58:24AM +0700, Alain Fauconnet wrote:
> Hello -
>
> I have a strange problem that has been bugging me for a long time.
> I do transparent redirection to a separate Squid box from a 2.4.18
> kernel box using Netfilter, over a private LAN (10.254.254.0/24).
> Something like:
>
> iptables -t nat -A PREROUTING -i ppp+ -p tcp -s 172.16.1.0/24 \
> --dport 80 -j DNAT --to 10.254.254.2:3128
>
> Sometimes several times per hour, I observe that ALL connections to
> 10.254.254.2:3128 just hang for 30s to 3min, even when I originate
> them from the Netfilter box itself using telnet. Everything then
> resumes normally. This is a major annoyance to the people behind these
> boxes. Protocol analysis revealed the following:
>
> Netfilter box Squid box
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ----------- SYN --------->
> <-------- SYN/ACK -------
> . . . . . . ACK . . . . .> MISSING!
What is the complete ruleset?
Ramin
>
> So the problem is on the Netfilter box side, it never sends the final
> ACK to the 3-way handshake.