Now I am confused. The behavior I am seeing is that despite the timing being correct, simultaneous open does not function as intended: A's SYN reaches B's NAT *after* B's SYN has left B's NAT and the same is true of B - B's SYN reaches A's NAT *after* A's SYN has left A's NAT. This is the correct case for simultaneous open. What I was originally saying was that this does not work if one does iptables SNAT without DNAT (of course, with a full-cone NAT it works; you don't even have to do a simultaneous open). My program basically does a SYN flood (though it waits for RSTs before sending out more SYNs) from both sides with the hope that one of these will cross in the network and create the appropriate timing conditions for a simultaneous open, i.e., what you mentioned below. From my testing, even with very small round trip times of less than 1 ms, one can generate numerous instances of simultaneous open. Note that this is with single layer NATting. With multi-level NAT, simultaneous open might be more difficult. Section 2.3 on this page - http://nutss.gforge.cis.cornell.edu/pub/imc05-tcpnat/ - sort of describes the approach I am using. Furthermore, the same authors concluded that about 85% of NATs in the wild actually do support simultaneous open. So things may not be as bleak. Best, Saatvik On 5/30/09, Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote: > On Sat, 30 May 2009, Christoph Paasch wrote: > > > > Hmm, I don't understand... > > > > As both hosts are NATed, this would mean that the NAT would allow the SYN to > > pass (coming from the "Internet" going to the LAN). > > > > But this is not possible, as no state has been created on this one of the two > > NATs (the host hasn't sent out a SYN yet). > > > > Can you explain me, what I'm missing here? > > > The intended packet flow is as follows: > > Time/action Host A NAT A NAT B Host B > Send SYN A SYN -> <- B SYN > SYN NATed A SYN -> <- B SYN > Cross other fw <- B SYN A SYN -> > SYN arrives B SYN A SYN > Reply A SYN/ACK-> <- B SYN/ACK > ... > > When the SYNs arrive to the other firewall, it's already opened up from > inside. Of course both communicating party must know in advance the mapped > IP address and source port of the other side. > > Because RST packets were generated by the hosts, it means the timing was > not appropriate and A SYN reached B before it had sent its SYN. But it > means we have to assume DNAT/REDIRECT rules was set up as well, otherwise > B NAT would not let pass the SYN from A to B. > > But this is assumption because we do not know the full details of the > settings. > > > Best regards, > Jozsef > - > E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx > PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt > Address : KFKI Research Institute for Particle and Nuclear Physics > H-1525 Budapest 114, POB. 49, Hungary > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
