Hi. There is a firewall between vcenter server and vsphere machines. We have trouble with vcenter traffic and syn proxy. Vcenter works fine when I disable synproxy but it does not work properly when I enable it. This is rules I added. iptables -t raw -A PREROUTING -i enp12s0f0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CT --notrack iptables -A FORWARD -i enp12s0f0 -p tcp -m tcp -m state --state INVALID,UNTRACKED --sack-perm --timestamp --wscale 7 --mss 1460 -j SYNPROXY iptables -A FORWARD -i enp12s0f0 -p tcp -m tcp -m state --state INVALID -j DROP I inspected the packets and realized that when syn proxy enabled, server send rst packets just after tcp handshake. 192.168.0.1 is vcenter server's IP address. 13:47:59.478585 IP 192.168.0.1.49210 > 192.168.0.20.443: Flags [S], seq 3891662468, win 14600, options [mss 1460,sackOK,TS val 603479375 ecr 0,nop,wscale 7], length 0 13:47:59.478607 IP 192.168.0.20.443 > 192.168.0.1.49210: Flags [S.], seq 3361123086, ack 3891662469, win 0, options [mss 1460,sackOK,TS val 1137639895 ecr 603479375,nop,wscale 7], length 0 13:47:59.478728 IP 192.168.0.1.49210 >192.168.0.20.443: Flags [.], ack 1, win 115, options [nop,nop,TS val 603479376 ecr 1137639895], length 0 13:47:59.478890 IP 192.168.0.20.443 > 192.168.0.1.49210: Flags [.], ack 1, win 127, options [nop,nop,TS val 1137639895 ecr 603479376], length 0 13:47:59.478985 IP 192.168.0.20.443 > 192.168.0.1.49210: Flags [R], seq 3361123087, win 0, length 0 13:47:59.479008 IP 192.168.0.1.49210 > 192.168.0.20.443: Flags [P.], seq 1:63, ack 1, win 115, options [nop,nop,TS val 603479376 ecr 1137639895], length 62 13:47:59.479121 IP 192.168.0.20.443 > 192.168.0.1.49210: Flags [R], seq 3361123087, win 0, length 0 And below packets recorded while syn proxy disabled. 15:03:40.157064 IP 192.168.0.1.53169 > 192.168.0.20.443: Flags [S], seq 2940370351, win 14600, options [mss 1460,sackOK,TS val 604614515 ecr 0,nop,wscale 7], length 0 15:03:40.157200 IP 192.168.0.20.443 > 192.168.0.1.53169: Flags [S.], seq 3175370053, ack 2940370352, win 65535, options [mss 1460,nop,wscale 9,sackOK,TS val 317544961 ecr 604614515], length 0 15:03:40.157326 IP 192.168.0.1.53169 > 192.168.0.20.443: Flags [.], ack 1, win 115, options [nop,nop,TS val 604614515 ecr 317544961], length 0 15:03:40.157626 IP 192.168.0.1.53169 > 192.168.0.20.443: Flags [P.], seq 1:63, ack 1, win 115, options [nop,nop,TS val 604614515 ecr 317544961], length 62 15:03:40.158336 IP 192.168.0.20.443 > 192.168.0.1.53169: Flags [P.], seq 1:1093, ack 63, win 130, options [nop,nop,TS val 317544961 ecr 604614515], length 1092 15:03:40.158599 IP 192.168.0.1.53169 > 192.168.0.20.443: Flags [.], ack 1093, win 137, options [nop,nop,TS val 604614516 ecr 317544961], length 0 15:03:40.159197 IP 192.168.0.1.53169 > 192.168.0.20.443: Flags [P.], seq 63:403, ack 1093, win 137, options [nop,nop,TS val 604614516 ecr 317544961], length 340 15:03:40.169577 IP 192.168.0.20.443 > 192.168.0.1.53169: Flags [P.], seq 1093:1168, ack 403, win 130, options [nop,nop,TS val 317544962 ecr 604614516], length 75 15:03:40.170677 IP 192.168.0.1.53169 > 192.168.0.20.443: Flags [P.], seq 403:653, ack 1168, win 137, options [nop,nop,TS val 604614519 ecr 317544962], length 250 15:03:40.176009 IP 192.168.0.20.443 > 192.168.0.1.53169: Flags [P.], seq 1168:1530, ack 653, win 130, options [nop,nop,TS val 317544962 ecr 604614519], length 362 15:03:40.214456 IP 192.168.0.1.53169 > 192.168.0.20.443: Flags [.], ack 1530, win 154, options [nop,nop,TS val 604614530 ecr 317544962], length 0 I can simply solve problem by adding exception rule for vcenter IP . But I want to know why it doesn't work and solve it if it is possible. Thanks for any help. -- ibrahim -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
