How can private IPV4 addresses get past iptables NAT (tcp RST,FIN)

Posted by gscott on Server Fault See other posts from Server Fault or by gscott
Published on 2012-10-14T21:19:47Z Indexed on 2012/10/14 21:39 UTC
Read the original article Hit count: 330

Filed under:
|
|
|

I've got a router performing simple NAT translation using iptables iptables -t nat -o -j MASQUERADE

This works fine almost all of the time except for one particular case where some TCP RST and FIN packets are leaving the router un-NAT'd.

In this scenario I setup 1 or 2 client computers streaming Flash video (eg www.nasa.gov/ntv) At the router I then tear down and re-establish the public interface (which is a modem) As expected the Flash streams stall out. After the connection is re-established and I try to refresh the Flash pages, I see some TCP RST and [FIN,ACK] packets leaving the public interface (I assume as Flash attempts to recover its stream).

I don't know how these packets can leave the router non-NAT'd

© Server Fault or respective owner

Related posts about iptables

Related posts about router