Strange Linux <-> Windows Connectivity Problem

From: Marcin Davies (marcin_at_spamfence.net)
Date: 10/08/03


Date: Wed, 08 Oct 2003 20:00:51 GMT

Hello,

I have a very strange problem on my home network. The setup is:

Linux 2.2.17 Firewall/Gateway (ipchains): fw-old
Linux 2.4.22 Firewall/Gateway (iptables) : fw-new

Several Windows 2000 and one Windows 98 (not 2nd Edition)-Boxes
attached to the same switch and the same subnet.

I build a new server (fw-new) with iptables to replace the old one.
The iptable-Rules were setup with Shorewall. A test run with my
Windows 2000-Clients was successful, everything runs fine. So I
completely replaced the old-fw, and was happy. However, I have serious
problems connecting the only Windows98 Box: And here is what happens:

Pinging to the Internet and to fw-new runs fine (ICMP in general).
UDP Packets (e.g. DNS) too, but TCP-Connections are broken. When I
switch back to the old-fw everything runs fine.

For debugging purposes I changed the setup as follows: fw-new is now
just a router and forwards all packets to fw-old, which is connected
to the internet (and does NAT/Masquerading). The gateway for the
clients is fw-new and the Win98-Box is happy with that. With this
setup packets from the Win98-Box first traverse fw-new and go to
fw-old and this works fine.

But when I connect directly to fw-new TCP connections are nevertheless
broken (UDP and ICMP are again working). Here is what an ethereal dump
shows for trying SSH to fw-new:

*SSH:

8.842311 win98.lan.net -> fw-new.lan.net TCP 1030 > ssh [SYN]
Seq=437821 Ack=0 Win=8192 Len=0 MSS=1460
  8.842462 fw-new.lan.net -> win98.lan.net TCP ssh > 1030 [SYN, ACK]
Seq=1727914751 Ack=437822 Win=5840 Len=0 MSS=
1460
 12.239438 fw-new.lan.net -> win98.lan.net TCP ssh > 1030 [SYN, ACK]
Seq=1727914751 Ack=437822 Win=5840 Len=0 MSS=
1460
 18.239433 fw-new.lan.net -> win98.lan.net TCP ssh > 1030 [SYN, ACK]
Seq=1727914751 Ack=437822 Win=5840 Len=0 MSS=
1460
...

The connection is initiated, and the server correctly sends an ACK.
And then our Win98-Box sleeps....

*HTTP:

0.439298 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 200 OK
  1.416402 win98.lan.net -> fw-new.lan.net TCP 1039 > www [SYN]
Seq=503546 Ack=0 Win=8192 Len=0 MSS=1460
  1.416473 fw-new.lan.net -> win98.lan.net TCP www > 1039 [SYN, ACK]
Seq=1798673511 Ack=503547 Win=5840 Len=0 MSS=
1460
  1.428368 win98.lan.net -> fw-new.lan.net HTTP GET
/manual/index.html.de HTTP/1.1
  1.428459 fw-new.lan.net -> win98.lan.net TCP www > 1039 [ACK]
Seq=1798673512 Ack=504089 Win=6504 Len=0
  1.429367 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 206 Partial
Content
  1.429409 fw-new.lan.net -> win98.lan.net HTTP Continuation
  1.959009 win98.lan.net -> fw-new.lan.net TCP 1040 > www [SYN]
Seq=504088 Ack=0 Win=8192 Len=0 MSS=1460
  1.959077 fw-new.lan.net -> win98.lan.net TCP www > 1040 [SYN, ACK]
Seq=1796380650 Ack=504089 Win=5840 Len=0 MSS=
1460
  1.960206 win98.lan.net -> fw-new.lan.net HTTP GET
/manual/style/css/manual.css HTTP/1.1
  1.960281 fw-new.lan.net -> win98.lan.net TCP www > 1040 [ACK]
Seq=1796380651 Ack=504574 Win=6432 Len=0
  1.961134 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 206 Partial
Content
  1.961189 fw-new.lan.net -> win98.lan.net HTTP Continuation
  4.429294 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 206 Partial
Content
  4.959290 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 206 Partial
Content
 10.429291 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 206 Partial
Content
 10.959285 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 206 Partial
Content
 11.879277 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 200 OK
 12.439301 fw-new.lan.net -> win98.lan.net HTTP HTTP/1.1 200 OK

When requesting a site, the request times out.

Weird, isnīt it? And no, the firewall doesnīt block TCP Connections,
it is wide open (Rules flushed/Policies accept) for this testing.
Using iptables 1.2.8 on Debian/woody.

I would be very thankful, if someone could give me a hint.

Greetings,
Marcin Davies