How can private IPV4 addresses get past iptables NAT (tcp RST,FIN)

iptables nat router tcp

Thanks for the tip. I was just what I needed to set me on the right track.

The root cause was unfiltered forwarding between lan and public interface. When the public interface got torn down it cleared the conntrack entries. The clients then tried to revive their connections and ended up sending out RST and FIN packets. Since NAT gets setup only on NEW connections, these packets then left the router unmodified.

I had to change my forwarding rule to only allow NEW,ESTABLISHED,RELATED packets to get forwarded from private lan.


Dropping the [RST,ACK] and [FIN,ACK] will not work. There are many application like ftp upload that will simply fail to ack the completion of the FTP transfer. The comments by gscott are the correct method, but one additional requirement is needed. You must make them strict by applying the policy

iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -P INPUT DROP

With this, you need to specify all your rules, or the packets will be dropped.

Related

Can I use a single (non-wildcard) SSL cert on multiple hostnames of the same domain?
Windows 10 multiple Ethernet connections with one being connected to the internet but PC doesnt connect to the internet [closed]
Backing up Zimbra ZCS
Download with Wget only if new version
Minimum TLS version for google cloud standard app engine projects
Azure DevOps: Maven is not installed on agent
FTP link opens to blank page
MS Word: How can I dynamically search text and Replace each wrapped result, wrapped with qualifiers?
Windows Explorer crash on right-click since last Update
Unexpected error message when trying to define VBA regex REPLACE method
Regular Expression To Match Multiple Lines Of Text
bash: ./lmcrypt: No such file or directory