Centos – Enabling TCP md5 signature option in centOS

Do you have ip forward enabled on kernel ?

# sysctl -a 2>&1 | grep ip_forward
net.ipv4.ip_forward=1

You need it to pass traffic from one interface to another (a.k.a. the FORWARD table rules).

Edit:

There is other sysctl setting, that I suspect that will be related:

net.ipv4.conf.all.mc_forwarding

and per interface, and for ipv6.

That "mc" really sounds to multicast, but I do not have kernel docs at hand to be 100% sure.

Try setting to 1, if doesn't work always you can return to the default 0.

Edit:

from networking/ip-sysctl.txt:

conf/all/mc_forwarding must also be set to TRUE to enable multicast routing

A similar situation is described at http://www.spinics.net/lists/netfilter/msg51408.html: some packets which should have been processed by NAT somehow got marked as INVALID instead of ESTABLISHED, and went to the INPUT chain. You should add some rules with -m state --state INVALID to check for this, and the answer at http://www.spinics.net/lists/netfilter/msg51409.html suggests that such INVALID packet should always be DROPped, because NAT is not performed on them properly, therefore addresses in them may be wrong.

If your problematic packets are really marked as INVALID, adding iptables -I INPUT -m state --state INVALID -j DROP probably will work around the problem (the broken packet will not get to the local process and will not cause the RST response, then TCP will recover from the lost packet after a timeout). Then you can try to debug the problem further, as described in http://www.spinics.net/lists/netfilter/msg51411.html:

echo 255 >/proc/sys/net/netfilter/nf_conntrack_log_invalid

(In that particular case the problem was caused by some broken networking hardware along the path, probably combined with some TCP checksum offload brokenness.)