Hello all, For my research project in school, I am trying to establish TCP connections when both hosts are behind full-cone NATs using TCP's simultaneous open functionality. Unfortunately, it seems that iptables does not support TCP simultaneous open. For my test environment, I simulate a full-cone NAT using iptables. My iptables rule is exactly as follows: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE Of course, here my eth0 is the interface connected to the internet. Everything else is set to accept; there is no filtering or anything. In fact, I run iptables --flush before adding the above rule. Using wireshark, the behavior I observe on both the iptables NAT boxes is that both of them send out/see a SYN coming from their NATted host before they receive a SYN from the other host. Unfortunately, both NATs respond with TCP RSTs to this incoming SYN (note that the incoming SYN corresponds to the exact same connection, i.e. port, endpoint tuple, as the outgoing SYN). The idea behind simultaneous open is that there are two SYNs in-flight at the same time and they cross in the network. According to the TCP spec, this should result in two TCP SYN-ACKs - one from either host - resulting in a four-way handshake as opposed to the usual three-way handshake. Instead of responding with RSTs, both NATs should let the incoming SYNs go through if they were to support simultaneous open (and because the port mapping should already have been created by the outgoing SYN). I have well-tested code running on the client machines behind the NATs that try to do a simultaneous open. To do so, I basically call connect in a tight loop on both the connecting machines. There is a rendezvous server which tells both NATted hosts their corresponding public endpoints (IP address, port) so that they can connect. According to the BEHAVE requirements outlined in IETF RFC 5382, TCP simultaneous open must be supported by "well behaved NATs". So is there a mistake in my rules or does iptables not support simultaneous open? Apologies for the long description, particularly if you are familiar with simultaneous open. I couldn't find any discussion regarding this on the list. Please let me know if something is not clear. Thank you, Saatvik Agarwal -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
