NAT Forwarding Issue (SYN_SENT)
 

My setup is as follows:

I have an outside WAN connection on the /29 subnet on eth1 of my Endian Linux router (for the most part, an IPTables based router) and an internal connection on the /24 subnet on eth0 of the router. I set up an SNAT masquerade and I can successfully access the internet on computers on my internal /24 network.

I am relatively well versed in firewalls and NAT so I proceeded to set up a DNAT in order to forward packets from the external interface to my internal web server on port 80. I also set up a firewall rule to allow the movement of TCP packets on port 80 into the internal network.

Unfortunately, I cannot seem to connect to the web server through the external IP. I monitored the TCP packets through the Endian interface and also lsof and found that the TCP packets were being destroyed in the SYN_SENT state, whereas they never received a TCP "handshake" (SYN/ACK) from the internal web server in order to begin TCP transmission. For the life of me, I cannot figure out why this is happening.

Some additional notes, the router feeds into the /24 network through a Cisco Catalyst switch. I currently have a Draytek "dumb" router fully functioning including NAT, firewall and IPSec VPN. This router has no trouble forwarding packets to the web server and is currently in production. Also, I tested this same appliance with a Vyatta linux firewall and received the same SYN_SENT packet problem so I don't believe it is a firewall configuration problem.

Feel free to ask if you need any additional information.

Thanks in advance for your help.

Can you please post the output of:

Check, what IP your forwarded port 80 on router to. May be it is not IP of your web server?