Re: TCP simultaneous open using iptables NAT?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Reply inline.

On 5/30/09, Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote:
> [Back to your original mail.]
>
>
>  On Wed, 27 May 2009, Saatvik Agarwal wrote:
>
>
> > For my research project in school, I am trying to establish TCP
>  > connections when both hosts are behind full-cone NATs using TCP's
>  > simultaneous open functionality. Unfortunately, it seems that iptables
>  > does not support TCP simultaneous open. For my test environment, I
>  > simulate a full-cone NAT using iptables. My iptables rule is exactly
>  > as follows:
>  >
>  > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>  >
>  > Of course, here my eth0 is the interface connected to the internet.
>  > Everything else is set to accept; there is no filtering or anything.
>  > In fact, I run iptables --flush before adding the above rule.
>  >
>  > Using wireshark, the behavior I observe on both the iptables NAT boxes
>  > is that both of them send out/see a SYN coming from their NATted host
>  > before they receive a SYN from the other host. Unfortunately, both
>  > NATs respond with TCP RSTs to this incoming SYN (note that the
>  > incoming SYN corresponds to the exact same connection, i.e. port,
>  > endpoint tuple, as the outgoing SYN).
>
>
> Netfilter conntrack/NAT does *not* generate any kind of packet. If you see
>  RST segments, those are then sent by the receiver of the SYN packet
>  because there's no open socket yet.

Yes, sorry I realized later that it is probably the host machine's TCP
stack generating that RST packet.

>
>  You can successfully build up simultaneous open connections only if you
>  use good timings: both hosts send the initial SYNs *before* the SYN from
>  the other side is delivered to them. Or, intentionally ignore (drop) the
>  RST segments.

Yes, using wireshark, I am seeing exactly this behavior on both the
NAT boxes. The outgoing SYN is seen before the incoming SYN.

Thanks for all your help once again. Your replies have been very enlightening.

Best,
Saatvik

>  Adding TCP simultaneous open support to netfilter conntrack is not hard
>  but needs more testing before release.
>
>
>  Best regards,
>  Jozsef
>  -
>  E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx
>  PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
>  Address : KFKI Research Institute for Particle and Nuclear Physics
>           H-1525 Budapest 114, POB. 49, Hungary
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux