Description of problem: If an ICMP error is received in the middle of a connection opening phase, the port redirection fails and no redirection is performed. Here is an example of a testing system. client server 10.33.140.104 10.33.140.110 +-----------------+ +-----------------------------+ | +--------+ | | +--------+ +--------+ | |port: |iptables| | --------> | |iptables|----->| httpd | | | 41292| (1) | | | | (2) | |port:80 | | | | | | | |port: | | | | | | | | <-------- | | 8089 |<-----| | | | +--------+ | | +--------+ +--------+ | +-----------------+ +-----------------------------+ 1. Configure the iptables of the client so that the client sends error packets of the network to the server. The iptables marked as (1) in the above figure is configured as follows. # iptables -F # iptables -A INPUT -p tcp -m tcp --sport 8089 -j REJECT --reject-with icmp-host-unreachable # iptables -P INPUT ACCEPT # iptables -P OUTPUT ACCEPT # service iptables save # service iptables restart 2. Configure the iptables of the server. The iptables marked as (2) in the above figure is configured as follows. # iptables -F # iptables -t nat -A PREROUTING -p tcp -m tcp --dport 8089 -j REDIRECT --to-ports 80 # iptables -P INPUT ACCEPT # iptables -P OUTPUT ACCEPT # service iptables save # service iptables restart 3. Start httpd on server. # service httpd start 4. Run the tcpdump on the client to capture packets which both the source address and the destination address are the server's IP address. e.g.) # tcpdump -i eth0 -s 256 src 10.33.140.110 or dst 10.33.140.110 5. Access from the client to the port 8089 in the server. e.g.) # telnet <server's-IP-address> 8089 6. Confirm that the server directly responds from the port 80 to the client after a network error (Destination unreachable) occurs. 10.33.140.104 10.33.140.110 TCP 41292 > 8089 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=65644314 TSER=0 WS=7 10.33.140.110 10.33.140.104 TCP 8089 > 41292 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=81687816 TSER=65644314 WS=2 10.33.140.104 10.33.140.110 ICMP Destination unreachable (Host unreachable)[Packet size limited during capture] 10.33.140.104 10.33.140.110 TCP 41292 > 8089 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=65647314 TSER=0 WS=7 10.33.140.110 10.33.140.104 TCP 80 > 41292 [SYN, ACK] Seq=0 Ack=0 Win=5792 Len=0 MSS=1460 TSV=81690816 TSER=65647314 WS=2 10.33.140.104 10.33.140.110 TCP 41292 > 80 [RST] Seq=0 Win=0 Len=0 10.33.140.104 10.33.140.110 TCP 41292 > 8089 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=65653314 TSER=0 WS=7 Version-Release number of selected component (if applicable): kernel-2.6.9-67.EL & newer How reproducible: Always
Created attachment 366708 [details] Patch fixing conntrack tcp This patch fixes iptables TCP conntrack to handle the half-opened connection correctly. The brew build url with the patch applied is: https://brewweb.devel.redhat.com/taskinfo?taskID=2038812 The test kernel works on my local test system and on customer's system too. Flavio Leitner
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Committed in 89.37.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/
Reproduced in 89.36.EL and verified in 89.37.EL.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2011-0263.html