Hi, Just tried SNAT - I see the same behavior unfortunately. Any other suggestions/comments? Thanks, Saatvik On 5/27/09, George B. <georgeb@xxxxxxxxx> wrote: > Masquerade won't support incoming connections. An inbound syn will > always be rejected unless it is associated with the outbound > connection. Try SNAT instead of MASQUERADE and be sure to allow > inbound traffic. > > > > On Wed, May 27, 2009 at 3:06 PM, Saatvik Agarwal > <saatvik.agarwal@xxxxxxxxxxxx> wrote: > > Hello all, > > > > For my research project in school, I am trying to establish TCP > > connections when both hosts are behind full-cone NATs using TCP's > > simultaneous open functionality. Unfortunately, it seems that iptables > > does not support TCP simultaneous open. For my test environment, I > > simulate a full-cone NAT using iptables. My iptables rule is exactly > > as follows: > > > > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > > > Of course, here my eth0 is the interface connected to the internet. > > Everything else is set to accept; there is no filtering or anything. > > In fact, I run iptables --flush before adding the above rule. > > > > Using wireshark, the behavior I observe on both the iptables NAT boxes > > is that both of them send out/see a SYN coming from their NATted host > > before they receive a SYN from the other host. Unfortunately, both > > NATs respond with TCP RSTs to this incoming SYN (note that the > > incoming SYN corresponds to the exact same connection, i.e. port, > > endpoint tuple, as the outgoing SYN). The idea behind simultaneous > > open is that there are two SYNs in-flight at the same time and they > > cross in the network. According to the TCP spec, this should result in > > two TCP SYN-ACKs - one from either host - resulting in a four-way > > handshake as opposed to the usual three-way handshake. Instead of > > responding with RSTs, both NATs should let the incoming SYNs go > > through if they were to support simultaneous open (and because the > > port mapping should already have been created by the outgoing SYN). > > > > I have well-tested code running on the client machines behind the NATs > > that try to do a simultaneous open. To do so, I basically call connect > > in a tight loop on both the connecting machines. There is a rendezvous > > server which tells both NATted hosts their corresponding public > > endpoints (IP address, port) so that they can connect. > > > > According to the BEHAVE requirements outlined in IETF RFC 5382, TCP > > simultaneous open must be supported by "well behaved NATs". So is > > there a mistake in my rules or does iptables not support simultaneous > > open? > > > > Apologies for the long description, particularly if you are familiar > > with simultaneous open. I couldn't find any discussion regarding this > > on the list. Please let me know if something is not clear. > > > > Thank you, > > Saatvik Agarwal > > > -- > > To unsubscribe from this list: send the line "unsubscribe netfilter" in > > the body of a message to majordomo@xxxxxxxxxxxxxxx > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
