Re: Routing issues - ping works one way but not the other

David Brown a écrit :
On 12/10/2010 13:06, Pascal Hambourg wrote:

Is there some NAT or stateful filtering on the box A and box C ? These
don't work well with asymmetric routing.

There is no NAT or any kind of filtering on box C - everything passing
through is forwarded directly. Box A does have filtering and NAT, but
not on the interfaces in question (though see below for an update).
[...]
A is refusing to forward it from B to C because of the iptables rule
"iptables -A FORWARD -m state --state INVALID -j DROP". I have always
used this rule (and the same for INPUT and OUTPUT chains) at the start
of iptables firewalls.

Assuming that is the case (and I'll do some more tests to make sure),
the question then is why is this reply packet being judged as invalid?

Because box A's connection tracking state machine did not see the echo
request it replies to, due to the asymmetric routing. In the other way,
box A sees the echo request which has state NEW, and does not see the
echo reply, but that does not matter.

And if I am correct in thinking that dropping INVALID packets is
considered best practice, is there any risk in skipping that rule? The
scope here is only for packets arriving and leaving on the same internal
LAN interface - anything on other interfaces or originating from outside
will still be dropped if it is INVALID.

You can safely ACCEPT any packet arriving and leaving on the same
internal LAN interface, regardless of its state.
.

Relevant Pages

  • Re: Routing issues - ping works one way but not the other
    ... due to the asymmetric routing. ... But if it is part of the connection tracking mechanism, then I can now see why the reply is marked INVALID. ... LAN interface - anything on other interfaces or originating from outside ... internal LAN interface, regardless of its state. ...
    (comp.os.linux.networking)
  • Re: SBS 2003 ISA proxy for FTP fails
    ... You would have to physically replace the NAT box with the ISA box. ... be eliminating the subnet that is between the ISA and the NAT box. ... Box's LAN interface would have to be changed to a LAN compatible address. ...
    (microsoft.public.isa)
  • Re: SBS 2003 ISA proxy for FTP fails
    ... You would have to physically replace the NAT box with the ISA box. ... be eliminating the subnet that is between the ISA and the NAT box. ... Box's LAN interface would have to be changed to a LAN compatible address. ...
    (microsoft.public.windows.server.sbs)
  • Re: Help: Cisco 2621 and NAT/Masq ?? urgent please
    ... alexd a écrit: ... to the lan interface of my cisco 2621 ... It may well be possible to NAT the traffic in such a way that appears to originate from the 2621, but surely a much better idea would be to give the linux server a gateway? ...
    (comp.dcom.sys.cisco)
  • Re: Help: Cisco 2621 and NAT/Masq ?? urgent please
    ... to the lan interface of my cisco 2621 ... It may well be possible to NAT the traffic in such a way that appears to ... They call me titless because I have no tits ...
    (comp.dcom.sys.cisco)