Did my message hit the list? Once again, is there any difference in DNAT'ing TCP and UDP, maybe there is difference related to different kinds/types of UDP packet? В Вто, 07/11/2006 в 16:40 +0200, Покотиленко Костик пишет: > Hi. > > I have strange troubles with DNATing UDP packets. > > The situation: > > 1. We have local network 10.10.0.0/16 > 2. We have a "server network" 192.168.1.0/25 connected with local > network by a router 10.10.100.1 (other ip 192.168.1.1). > 3. Web server is located at 192.168.1.2 > 4. There are HW pingers in the net 10.10.0.0/16 whose do ping > 10.10.100.1 every second. The ping is the UDP packet with both source > and destination ports set to 4000. > 5. There is software to decode ping packets and produce/update html > report. > > I want to install the ping-analizing software at the web-server > (192.168.1.2) and connect it with localy running apache to have a web > page with ping-report. > > As the pingers ping (send UDP packets) to 10.10.100.1 I was trying to > redirect them to 192.168.1.2 by: > > iptables -t nat -I PREROUTING 1 -p udp --dport 4000 -j DNAT > --to-destination 192.168.1.2:4000 > iptables -I FORWARD -p udp --dport 4000 -d 192.168.1.2 -j ACCEPT > > Neither of those rules not catching the packets, they all reach > 10.10.100.1 INPUT chain. Those rule counters are zero. > > If I do: > > iptables -t mangle -I PREROUTING 1 -p udp --dport 4000 > > this rule catch needed packets, but not in NAT tables! Why? > > I tryed same with TCP: > > iptables -t nat -I PREROUTING 1 -p tcp --dport 4000 -j DNAT > --to-destination 192.168.1.2:4000 > iptables -I FORWARD -p tcp --dport 4000 -d 192.168.1.2 -j ACCEPT > > and this works fine, I can see packets at 192.168.1.2 when doing telnet > 10.10.100.1 4000 from the localnet. > > Here is tcpdump from 10.10.100.1: > > # tcpdump -i br0 port 4000 -n > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > listening on br0, link-type EN10MB (Ethernet), capture size 96 bytes > 16:36:53.202130 IP 10.10.100.23.4000 > 10.10.100.1.4000: UDP, length: 74 > 16:36:54.092413 IP 10.10.100.21.4000 > 10.10.100.1.4000: UDP, length: 74 > 16:36:54.143128 IP 10.10.100.22.4000 > 10.10.100.1.4000: UDP, length: 74 > 16:36:55.291886 IP 10.10.100.23.4000 > 10.10.100.1.4000: UDP, length: 74 > 16:36:55.545621 IP 10.10.100.22.4000 > 10.10.100.1.4000: UDP, length: 74 > 16:36:55.743096 IP 10.10.100.21.4000 > 10.10.100.1.4000: UDP, length: 74 > > Once again, all those packets reach INPUT chain, rules in -t nat -I > PREROUTING not working. > > So here is the question: Does the UDP is being DNAT'ed differently > comparing with TCP? What is the difference? How can I DNAT them? > > Thanks in advance. > > P.S. This king of UDP ping doesn't require responce, its just to see > which remote point is still alive. > -- Покотиленко Костик <casper@xxxxxxxxxxxx> _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc