Am 03.07.20 um 13:54 schrieb Aleksander Morgado: > I'm trying to debug an issue found on an old Ubuntu 14.04 system running kernel 3.13.0-53 with iptables v1.4.21. The system acts as a router providing access to the Internet to several subnets, with the usual NAT rules: > > $ sudo iptables -t nat -S > -P PREROUTING ACCEPT > -P INPUT ACCEPT > -P OUTPUT ACCEPT > -P POSTROUTING ACCEPT > -A POSTROUTING -o eth0 -j MASQUERADE > > The FORWARD chain rules in the main table look like this: > $ sudo iptables -S > ... > -P FORWARD ACCEPT > -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu > > The problem I am seeing is that TCP retransmissions originated in the subnet clients end up WITHOUT the IP masquerading applied, i.e. the original client IP of the subnet is found in the IP packets instead of the IP address of the outgoing interface in the router. I saw this issue in a system in production, and I attempted to reproduce the problem with some iptables DROP rules that trigger it i would guess that it ended as "ctstate INVALID" because the network layer on the firewall machine saw no reason that this re-transmit happened at all out-of-order packages typically are INVALID and nat only applies to NEW it could be a bug but also that the re-transmit was not needed at all because the ACK came back and there was a race between re-transmit and ACK
