netfilter resets TCP conversation that was DNATed from the local
machine to another
Michael
freeware@adsl-209-204-165-151.sonic.net
Fri, 27 Jun 2003 20:50:58 -0700
Dear netfilter gods,
I have a configuration, so:
/------------\ .0.2 .{0,1}.1 /----------\ 1.2.3.4 ( )
| Web server |-----+-------------| firewall |---------( Internet )
\------------/ | eth0 | Squid | eth1 ( )
| \----------/
/---------\ .1.2 |
| browser |--------/
\---------/
- The 192.168.{0,1}. subnets run on the same wire.
- Port 80 on the public i/f is DNATed to the internal Web server.
The firewall is running Squid to proxy for 192.168.1. clients, and it
works fine *except* when the target server resolves to a public IP on
eth1. When that happens, I see the client-to-Squid communication go OK,
then Squid send a SYN (from .0.1) to .0.2:80, .0.2 sends a SYN ACK,...
but then netfilter spontaneously issues a RST to .0.2:80 from another
port (i.e., not the one that Squid was using)! I have no
reject-with-tcp-reset lines in my tables.
What up?
Squid really doesn't belong on a firewall, but I'm curious to resolve
this mystery first.