I have a configuration, so:
/------------\ .0.2 .{0,1}.1 /----------\ 1.2.3.4 ( )
| Web server |-----+-------------| firewall |---------( Internet )
\------------/ | eth0 | Squid | eth1 ( )
| \----------/
/---------\ .1.2 |
| browser |--------/
\---------/- The 192.168.{0,1}. subnets run on the same wire.
- Port 80 on the public i/f is DNATed to the internal Web server.The firewall is running Squid to proxy for 192.168.1. clients, and it works fine *except* when the target server resolves to a public IP on eth1. When that happens, I see the client-to-Squid communication go OK, then Squid send a SYN (from .0.1) to .0.2:80, .0.2 sends a SYN ACK,... but then netfilter spontaneously issues a RST to .0.2:80 from another port (i.e., not the one that Squid was using)! I have no reject-with-tcp-reset lines in my tables.
What up?
Squid really doesn't belong on a firewall, but I'm curious to resolve this mystery first.
