Dear all,
I'm attempting to set up a scenario where a router connects two networks (A and B) and uses SYNPROXY when new TCP connections are initiated A-to-B direction.
My server is located in network B and the remote client in network A. Both hosts use this router as default gateway for their traffic.
I have followed the available instructions for setting up SYNPROXY and it seems to work very straightforward. I am using the SYNPROXY rule in filter FORWARD chain.
If the server-B is running in my network-B, client-A can connect perfectly to it and the connection is relayed by the SYNPROXY in the router, back and forth. However, and this is the reason why I am contacting the mailing list, SYNPROXY seems to fail if a TCP RST,ACK is sent by the server-B when the server process is not running. The TCP RST,ACK does not seem to be mangled by the SYNPROXY as it answered with TCP SEQ 0x00 and contains no TCP header options.
After checking the code, I think I may have back traced the issue to the file ipt_SYNPROXY.c (line 360), in the function ipv4_synproxy_hook()
case TCP_CONNTRACK_SYN_SENT:
if (!synproxy_parse_options(skb, thoff, th, &opts))
return NF_DROP;
Would you please clarify if the current behavior is the intended one or is this some kind of bug?
Thank you!
Jesus Llorente
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
