On Thu, 4 Jun 2009, Emiliano Romero wrote: > I'm doing a DNAT to forward connections to port 5555 to another server. The > connection gets forwarded fine, I can connect, send and recieve data over that > connection. The problem appear with TCP KeepAlive packets (No flags, win=0, > len=0). When that packets of a connection that is ESTABLISHED (Send and > recieve data before) arrives to my iptables machine. They arent matched with > nat entries of the conection where it belongs. So they are marked as INVALID > and go to INPUT insted of FORWARD. > > TCP Keepalive in the remote side (The one that start the connection) is seted > at 20 seconds with 4 tries at 10 seconds each one. That's because it's over a > very bad communication channel. > > I add some of my configurations: > > Iptables config: > iptables -t raw -A PREROUTING -p tcp --dport 5555 -j TRACE > iptables -t nat -A PREROUTING -p tcp --dport 5555 -j DNAT --to-destination > 192.168.1.100:5555 > > Output of Trace: http://pastebin.com/f65e41319 > > Visual Output of Wireshark of another try: http://tinyurl.com/qlaj9n The TCP keepalived packet in the output above is invalid: it's sequence number is wrong. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
