[Back to your original mail.] On Wed, 27 May 2009, Saatvik Agarwal wrote: > For my research project in school, I am trying to establish TCP > connections when both hosts are behind full-cone NATs using TCP's > simultaneous open functionality. Unfortunately, it seems that iptables > does not support TCP simultaneous open. For my test environment, I > simulate a full-cone NAT using iptables. My iptables rule is exactly > as follows: > > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > Of course, here my eth0 is the interface connected to the internet. > Everything else is set to accept; there is no filtering or anything. > In fact, I run iptables --flush before adding the above rule. > > Using wireshark, the behavior I observe on both the iptables NAT boxes > is that both of them send out/see a SYN coming from their NATted host > before they receive a SYN from the other host. Unfortunately, both > NATs respond with TCP RSTs to this incoming SYN (note that the > incoming SYN corresponds to the exact same connection, i.e. port, > endpoint tuple, as the outgoing SYN). Netfilter conntrack/NAT does *not* generate any kind of packet. If you see RST segments, those are then sent by the receiver of the SYN packet because there's no open socket yet. You can successfully build up simultaneous open connections only if you use good timings: both hosts send the initial SYNs *before* the SYN from the other side is delivered to them. Or, intentionally ignore (drop) the RST segments. Adding TCP simultaneous open support to netfilter conntrack is not hard but needs more testing before release. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html