How can private IPV4 addresses get past iptables NAT (tcp RST,FIN)
Posted
by
gscott
on Server Fault
See other posts from Server Fault
or by gscott
Published on 2012-10-14T21:19:47Z
Indexed on
2012/10/14
21:39 UTC
Read the original article
Hit count: 367
I've got a router performing simple NAT translation using iptables iptables -t nat -o -j MASQUERADE
This works fine almost all of the time except for one particular case where some TCP RST and FIN packets are leaving the router un-NAT'd.
In this scenario I setup 1 or 2 client computers streaming Flash video (eg www.nasa.gov/ntv) At the router I then tear down and re-establish the public interface (which is a modem) As expected the Flash streams stall out. After the connection is re-established and I try to refresh the Flash pages, I see some TCP RST and [FIN,ACK] packets leaving the public interface (I assume as Flash attempts to recover its stream).
I don't know how these packets can leave the router non-NAT'd
© Server Fault or respective owner